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ARE OUR NATION’S PORTS SECURE? 
EXAMINING THE TRANSPORTATION WORKER 
IDENTIFICATION CREDENTIAL PROGRAM 


TUESDAY, MAY 10, 2011 

U.S. Senate, 

Committee on Commerce, Science, and Transportation, 

Washington, DC. 

The committee met, pursuant to notice, at 2:30 p.m. in room SR- 
253, Russell Senate Office Building, Hon. Frank R. Lautenberg, 
presiding. 

OPENING STATEMENT OF HON. FRANK R. LAUTENBERG, 
U.S. SENATOR FROM NEW JERSEY 

Senator Lautenberg. I’m pleased to open this hearing of the 
Committee on Commerce, Science, and Transportation. We’ve got 
important subjects at hand here. 

And we are pleased to see our colleague from the House of Rep- 
resentatives, The Honorable John Mica, who is the Chairman of 
the Committee of Jurisdiction on the House side. 

And, Mr. Mica, we welcome you. And we ask you to give your 
testimony. It’s customary to have a 5-minute period for presen- 
tation, but if there is a need to extend it, please don’t be unwilling 
to ask for it. And we’ll start the clock, please, at the 5-minute level. 

Thank you. 

And, Mr. Mica, the table — the microphone is yours, sir. 

STATEMENT OF HON. JOHN L. MICA, CHAIRMAN, COMMITTEE 

ON TRANSPORTATION AND INFRASTRUCTURE, U.S. HOUSE 

OF REPRESENTATIVES 

Mr. Mica. Well, thank you. And I’m pleased to be on the Senate 
side this afternoon, and also to work jointly with your committee. 

And actually. I’m here today because I think the subject before 
you is — well, the title is, “Are Our Nation’s Ports Secure? Exam- 
ining the Transportation Worker Identification Credential Pro- 
gram.” And I think also you’re going to focus on a GAO report that 
I had the opportunity to be a co-requester with members of this im- 
portant Senate committee. So, I will try to talk about both the GAO 
report and also the issue at hand of credentialing our transpor- 
tation workers. 

I’ve submitted a full statement for the record, and I’ll just give 
some comments here. 

As you know, Mr. Chairman and other members, for nearly a 
decade now the federal government has struggled to produce a 

( 1 ) 
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transportation worker identification credential. We’ve tried to 
produce a credential for airport and transportation workers. We’ve 
attempted to produce a pilot’s license. And we’ve also attempted to 
produce a frequent airline traveler identification card. After spend- 
ing years and nearly half a billion dollars, we have, unfortunately, 
missed the mark. We’ve spent nearly half a billion dollars, and un- 
fortunately, we do not have a TWIG card that provides secure iden- 
tification, as you’ll hear from GAO today, and also that your com- 
mittee staff has revealed in their report. 

I read your committee report. Being a former Senate staffer, I 
want to thank them. They did some excellent work. The report — 
the key findings are summarized very clearly — it says, “GAO inves- 
tigators were able to access secure facilities” — this is using TWIG 
cards or fraudulent cards — they “were able to access secure facili- 
ties at U.S. ports during covert tests in which they presented either 
counterfeit TWIG cards, authentic TWIG cards obtained through 
fraudulent means, or falsified reasons for requesting access to the 
security.” Then they also summarized and said, the — “DHS has not 
adequately assessed the effectiveness of the TWIG Program, nor 
has DHS demonstrated that the current TWIG Program enhances 
port and facility security better than what we’ve had in the past.” 

One other key finding is the GAO — in the GAO report, that you 
cite in your report, is that TSA does not have clear criteria for ap- 
plying discretionary authority to applicants who have past criminal 
convictions. 

These are just the highlights of some of the findings, not that I 
came up with, but that your staff recited from the GAO report. 

As Ghair of the House Aviation Subcommittee, I helped to 
launch — work with many members on this side — the Transpor- 
tation Security Administration, some years ago, in 2001. Even in 
that first measure, Gongress recognized and requested development 
of a secure ID for transportation workers. In 2004, I helped pass 
legislation to require the FAA to replace a paper pilot identification 
card. And we put in the law that we required a durable, biometri- 
cally-enabled license that also had a photograph of the pilot on 
the — this durable new identification license. 

After spending billions — I’m sorry — after — I get used to billions 
today — but, after spending millions, FAA produced a license that 
was durable. However, it didn’t have a biometric means. And I 
know there’ll be a call today for having some unification of these 
different licenses and IDs, and what components they’d have. But, 
they finally produced, again, a card, at millions of dollars, that does 
not have a biometric measure and code — and coding capability. And 
the only pilots that appear on the document, on the license, are 
Wilbur and Orville Wright. I don’t know if you’ve seen this, but 
this is — turn the — show them Wilbur and Orville Wright, there. So, 
there’s — we spent millions of dollars, we produced this license, and 
it actually is not acceptable with TSA, as an ID. It doesn’t have a — 
even a photo of the pilot on it. 

When you talk to FAA about this, they point to Homeland Secu- 
rity, and then they point to TSA, for trying to get directions. 

So, after spending hundreds of millions of dollars on a TWIG 
card, now we find, this report says, that it can easily fraudulently 
be used. 
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We still lack deployment of readers. We’ve issued about 1.7 mil- 
lion of these cards, but we don’t have a reader. The TWIG card 
does have biometric measures for fingerprint. Iris is on its way, 
we’re told. It has a photo. But, we don’t have a reader capable of 
confirming the identification of the person using the card, and 
knowing that, in fact, is the same person that’s on the ID, or car- 
rying the ID. 

With — right now, the U.S. House and also your help in the Sen- 
ate — and this is a very important hearing because I’m hoping this 
will help prod the agencies to soon have a TWIG card with full bio- 
metric fingerprint and iris capability, and also readers capable of 
a reliable confirmation. However, even with that equipment and 
with that new capability, it will not address some of the fraudulent 
issues that are uncovered by GAO. 

So, I’m pleased to come 

Senator Lautenberg. Mr. Mica, we will put your full statement 
into the record. I made a slight error when I invited you to go first 
without making my own statement. So, we listen with interest, 
have heard your public comments about how you saw things, in 
your testimony, here today. So, I am going to make my statement. 
And if you need a minute more. I’m happy to give it to you. 

Mr. Mica. Thank you. I’d like to hear your statement. Thank 
you. 

[The prepared statement of Mr. Mica follows:] 

Prepared Statement of Hon. John L. Mica, Chairman, Committee on 
Transportation and Infrastructure, U.S. House of Representatives 

Mr. Chairman, Ranking Member Hutchinson, and members of the Committee, 
thank you for the opportunity to testify before you today on the progress, or lack 
thereof, of the Transportation Worker Identification Credential — or “TWIC” — Pro- 
gram. It is a privilege to appear before you, and I thank you for your continued and 
vigilant oversight on this important issue. 

As you may know, I am one of the co-requestors of the Government Accountability 
Office (GAO) report that I believe this Committee will release today on the weak- 
nesses of the TWIC Program. As Chairman of the Transportation and Infrastructure 
Committee in the House of Representatives, I can attest that the Members of my 
Committee are committed to ensuring the security of the transportation workers 
and transportation infrastructure they oversee as part of their role on the Com- 
mittee. As an original author of the legislation that created the Transportation Se- 
curity Administration (TSA) after 9/11, I also feel a personal sense of obligation to 
ensure that this important piece of our nation’s defense apparatus is operating as 
the efficient and effective security agency it was intended to be. 

Government Coordination on Transportation Security 

In the wake of 9/11, the federal government realized how disastrous storing infor- 
mation in government silos could be. Information-sharing became a top priority and 
the administration directed departments and agencies to work together to ensure 
all relevant information is on the table at all times. During this time, the TSA was 
transferred from the Department of Transportation (DOT) to the newly-created De- 
partment of Homeland (DHS). 

Homeland Security Presidential Directive-7 directed DHS and DOT to “collaborate 
on all matters relating to transportation security and transportation infrastructure 
protection.” i In 2004, the two Departments entered into a Memorandum of Under- 
standing and jointly expressed a desire for a “strong partnership in order to reduce 
the vulnerability of transportation passengers, employees, and systems to terrorism 


1 “Homeland Security Presidential Directive-7: Critical Infrastructure Identification, 
Prioritization, and Protection,” The White House. December 17, 2003. 
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and other disruptions.”^ Each department would have regulatory responsibilities in 
the area of transportation security, and would communicate and cooperate on fund- 
ing for transportation security projects. 

As evidence of this partnership, TSA officials have appeared before the Transpor- 
tation and Infrastructure Committee more than a dozen times since the agency was 
transferred to DHS at the end of 2002. In January 2008, former-TWIC Program Di- 
rector Maurine Fanguy provided an update to the Committee on the TWIC Program. 

So you will understand my surprise when TSA Administrator Pistole and TWIC 
Program Manager John Schwartz declined an invitation to testify before the Trans- 
portation Committee on the same issue in April of this year. 

I don’t understand what has changed, but I do want to impart to Administrator 
Pistole, who I understand is testifying on the next panel, that it is imperative that 
jurisdictional issues not interfere with progress, particularly when money is being 
poured into flawed security programs. As evidenced by my appearance before this 
Committee today, Congress does indeed want to work together on these important 
issues and it is not the role of any government agency to interpret jurisdictional 
boundaries of Congressional Committees. 

Transportation Worker Identification Credential (TWIC) Program 

With that said, I did come here today to discuss the TWIC Program. According 
to TSA, 1.86 million people have enrolled, 1.72 million cards have been activated,^ 
and $420 million has been provided to the TWIC Program. In 2007, DHS estimated 
that the combined cost to the federal government and the private sector may reach 
$3.2 billion over a ten-year period — not taking into account the full cost of “imple- 
menting and operating readers.” 

TWIC is turning into a dangerous and expensive experiment in security. Nearly 
half-a-billion dollars have been spent since the Maritime Transportation Security 
Act of 2002 directed the Secretary of DHS to issue biometric transportation security 
cards to maritime workers. Yet today, 10 years later, TWIC cards are no more use- 
ful than library cards. In fact, the only port that GAO investigators were NOT able 
to gain access to using fraudulent means was the port that still required port-spe- 
cific identification for admittance to secure areas. 

We have also learned from GAO that: 

1. Individuals can obtain authentic TWICs using fraudulent identification docu- 
mentation; 

2. Individuals can gain access to ports using counterfeit TWICs; and that, 
among other things, 

3. TSA is unable to confirm that TWIC holders maintain their eligibility 
throughout the life of their TWIC. 

This is a troubling scenario and counterintuitive to the purpose of the program. 
GAO determined that an individual does not have to prove who they say they are 
when enrolling in the program. In other words, an individual can present a fraudu- 
lent identification document with somebody else’s name, but provide their own fin- 
gerprints to obtain an authentic TWIC card. In this instance, the TWIC card trans- 
forms into a biometric key that unlocks our nation’s ports and facilities for any indi- 
vidual with the intent and desire to do us harm. 

GAO tells us that DHS has not assessed whether or not the TWIC program en- 
hances security or not. In fact, DHS cannot demonstrate that TWIC — as imple- 
mented and planned — is more effective than the approach used to secure ports and 
facilities before 9/11. 

I believe we must begin to ask if these vulnerabilities in fact make our nation 
less secure. 

TSA Needs to Conduet Cost-Benefit and Risk Analyses of Programs Prior 
to Funding 

The root of this problem is evidenced in many other TSA programs as well — this 
fledgling agency still does not conduct risk assessments and cost-benefit analyses of 
its security programs as required by law. 


2 “Memorandum of Understanding between the Department of Homeland Security and the De- 
partment of Transportation on Roles and Responsibilities.” September 28, 2004. 

3 “Transportation Worker Identification Credential (TWIC) Program Briefing” to the House 
Committee on Oversight and Government Reform, Transportation Security Administration. May 
2 , 2011 . 
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TSA’s Screening People by Observation Techniques — or “SPOT” — program, will re- 
quire $1.2 billion over the next 5 years, but TSA has yet to validate the underlying 
methodology of the program or to conduct a cost-benefit analysis."^ 

Likewise, GAO found in April of last year that TSA has not conducted comprehen- 
sive risk assessments across the surface transportation sector.® This lack of analysis 
results in ill-informed resource allocations and more importantly calls into question 
whether the highest risk targets are being secured. In light of the plot against the 
U.S. rail sector uncovered in the Bin Laden raid, it is alarming that TSA still has 
not addressed recommendations to close these gaps. 

Biometric Pilot Licenses 

TSA is not the only agency that has struggled to develop a biometric credential 
for transportation workers. In April, the Federal Aviation Administration (FAA) tes- 
tified before my Committee on the long delayed development of biometric pilot li- 
cense. Although Congress mandated that pilot licenses include biometric identifiers 
in the Intelligence Reform and Terrorism Prevention Act of 2004, FAA has yet to 
produce them. FAA recently spent $2.7 million to issue 700,000 pilot licenses that 
complied with one requirement of the 2004 legislation — they are now plastic instead 
of paper and therefore tamper-resistant. Unfortunately, the requirements to include 
a photograph and biometric identifiers were not taken into consideration. 

In closed door sessions with my Committee, FAA informed Members that they be- 
lieved TSA was going to produce a biometric standard for them, perhaps in the form 
of a TWIG card. 

Given the testimony that you will hear today, and the results of this GAO report, 
I think it is safe to say that roping additional transportation workers into the TWIG 
Program is an idea destined for disaster. While the biometric standard for the TWIG 
Program, developed by the National Institute of Standard and Technology (NISI), 
works well and fulfilled a much-needed mandate, the program itself is poorly man- 
aged. 

NIST’s Director of Information Technology recently informed me that the agency 
is in the process of updating the current biometric standard to include iris scanning, 
an effort which I applaud. I understand that this standard will be complete by the 
end of this year and look forward to its inclusion in future personal identify 
verification cards for the federal workforce. 

I want to thank the Gommittee again for the opportunity to testify before you 
today, and for your important work on the issue of secure credentials for transpor- 
tation workers. 

Senator Lautenberg. Thanks very much. And again, welcome. 

And I’m pleased to have a chance to have this committee hear- 
ing. We have serious concerns about the government’s record, and 
efforts to make America’s ports more secure. Our maritime facili- 
ties are global gateways, and they provide American businesses 
and consumers access to the world marketplace. The ports are a 
vital part of our economy, but they’ve also been identified as special 
targets for terrorist attacks. 

Now, my state is home to — as said by the FBI — to the country’s 
most at-risk areas for a terrorist attack, a stretch that includes 
major hubs like the Port of New York and New Jersey, which han- 
dled more than $140 million in cargo last year. 

Now, to improve security at our ports, 9 years ago the govern- 
ment created a worker identification program, known as TWIG, to 
try to make sure that access to the nation’s ports is limited to peo- 
ple who belong there, such as dock workers and cargo handlers and 
other professionals. Now, after several delays, the program is now, 
as you said, up and running, and the government has issued al- 
most 2 million TWIG cards. 


^“Efforts to Validate TSA’s Passenger Screening Behavior Detection Program Underway, but 
Opportunities Exist to Strengthen Validation and Address Operational Challenges.” U.S. Gov- 
ernment Accountability Office, May 2010. 

® “Surface Transportation Security: TSA Has Taken Actions to Manage Risk, Improve Coordi- 
nation, and Measure Performance, but Additional Actions Would Enhance It’s Efforts.” U.S. 
Government Accountability Office, April 2010. 
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But, a recent Government Accountability Office investigation 
raises a disturbing question. Are America’s ports actually safer now 
than they were a decade ago? The GAO has identified serious prob- 
lems with TWIG, including startling evidence that this program 
might actually diminish the safety of our ports. 

At this committee’s request, the GAO conducted covert testing. 
Investigators were able to fraudulently obtain TWIG cards and use 
the cards to access secure locations. Not only were they able to ac- 
cess the port facilities, but they were able to drive a vehicle with 
a simulated explosive into a secure area. Fraudulent and counter- 
feit cards, like the ones used by investigators, could also be used 
as identification at airports or military facilities. 

The problems don’t stop with fraudulent cards. There are also 
issues with criminal background checks, immigration checks, and 
the lack of safeguards to determine if an applicant even needs a 
TWIG card. So, despite these alarming findings, the Transportation 
Security Administration has, so far, been unable to close the gaping 
holes that plague this program. 

Additionally, the Department of Homeland Security, which heads 
the TSA, has not yet conducted a review to determine if the card 
program helps or hinders security at our nation’s ports. And given 
the critical importance of our ports, it’s unacceptable that we’re 
spending hundreds of millions of tax dollars on a program that 
might actually be making the ports less safe. So, according to esti- 
mates, it could cost as much as $3 billion to deploy the cards over 
a 10-year period. And this doesn’t include the cost of the sophisti- 
cated biometric equipment that’s needed to read the card. So, we’ve 
got to thoroughly examine and correct the TWIG Program, and 
make sure we’re focusing our resources where they’re needed most, 
the areas that present the highest risk. 

So, I look forward, Mr. Mica, to hearing from you and our other 
witnesses about how you see the status of the program and how 
we can best implement changes to make sure our port security pro- 
grams are effective and the money we spent — spend is improving 
at our ports. 

Now, I’ve got Senators here that are waiting at a chance to make 
their statements. And if you want to add a ex post facto thing for 
just a couple of minutes, Mr. Mica, I’d be 

Mr. Mica. Sure, I’m here, waiting. Love to hear the other Sen- 
ators, too. Thank you, sir. 

Senator Lautenberg. Thank you. In the order of their appear- 
ance, Senator Ayotte is here. And we’re pleased to see you, and in- 
vite you to give your statement, please. 

STATEMENT OF HON. KELLY AYOTTE, 

U.S. SENATOR FROM NEW HAMPSHIRE 

Senator Ayotte. Thank you, Mr. Chairman. 

Thank you. Representative Mica. Thank you so much for coming 
over to testify from the House. 

Security at our nation’s ports is critically important to our safety 
and to our economy. Not only would an attack on our nation’s ports 
be devastating, in terms of the loss of human life, but would also 
severely impact our national economy. 
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It is deeply troubling that the GAO investigators were able to ac- 
cess secure facilities at U.S. ports during covert tests by presenting 
counterfeit or fraudulent TWIG cards. This represents a significant 
hole in our national security that must be addressed. And we cer- 
tainly don’t want a security program in place that gives the ap- 
pearance of making us more secure, but in reality does not, because 
that can cause people to actually act less vigilantly than they 
should, given the situation. 

I look forward to discussing the reasons behind why this was 
able to happen, ways we can prevent this from happening in the 
future, and how this program can be corrected to ensure the secu- 
rity of our ports. I also wanted to raise the issue that transpor- 
tation workers who are getting these IDs — they also are pretty in- 
convenienced, in terms of having to make two trips to a TWIG en- 
rollment center to obtain their TWIG card, which can be time-con- 
suming and expensive for, particularly, workers in rural areas that 
don’t live close to an enrollment center, which can place an addi- 
tional financial burden, particularly on a program which we have 
questions about the efficacy of it. I’m also interested in discussing 
ways that this burden could be alleviated so that workers don’t 
have to make multiple, costly trips in order to receive the TWIG 
card, while, at the same time, ensuring the integrity of the card, 
which is very important. 

As millions of TWICs are going to be coming up for renewal in 
2012, now is the time for this committee to address this issue. And 
it’s critical that we solve these problems right away. 

And I look forward to your testimony today. 

Thank you. 

Senator Lautenberg. Senator Klobuchar. 

STATEMENT OF HON. AMY KLOBUCHAR, 

U.S. SENATOR FROM MINNESOTA 

Senator Klobuchar. I’m looking forward to hearing from the 
witnesses. Thank you, Mr. Chairman. 

Senator Lautenberg. Senator Boozman. 

STATEMENT OF HON. JOHN BOOZMAN, 

U.S. SENATOR FROM ARKANSAS 

Senator Boozman. I think, in the interest of time, Mr. Chairman, 
I will put my statement in the record, with your permission. 

[The prepared statement of Senator Boozman follows:] 

Prepared Statement of Hon. John Boozman, U.S. Senator from Arkansas 

Senator Lautenberg, thank you for presiding over this hearing today. The results 
of this GAO study are troubling, including the multiple breaches at facilities by in- 
vestigators using fraudulent and/or counterfeit TWIC cards. Perhaps the only thing 
that is positive to see is that the Department of Homeland Security agrees with the 
recommendations. 

I look forward to listening to your testimony today, and working with both DHS 
and the Coast Guard in the future to improve the TWIC program. 

Senator Lautenberg. We’re making haste here, Mr. Mica. We’ve 
got, if you want, a couple of minutes. 

Mr. Mica. Thank you. I’ll just conclude. And again, I associate 
myself with your remarks, and Senators that are here. 
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You’re looking at TWIG, you’re looking at problems we’ve uncov- 
ered. The last S^enator who spoke indicated that, 2012, we’ll be re- 
newing these cards. I think it’s incumbent on both the House and 
the Senate that we get our act together on these IDs. If we’ve spent 
a half a billion dollars. We don’t have a reader. We’re on the cusp 
of getting a second biometric measure. And we have transportation 
workers in other fields — aviation, for example — where I showed you 
a card that we have for a license, that can’t be used for an ID, that 
doesn’t meet the criteria that Congress intended. We can, and we 
must, do a better job of getting our whole act together. 

Now, this, folks, too, is not rocket science. There are other agen- 
cies that already have identification cards. They have them with 
biometrics, both iris and thumb. They have them with readers that 
can confirm that that person is the person that has the ID and can 
be identified. So, we go on spending more and more money, and we 
don’t have security at our ports, our airports, or other transpor- 
tation facilities. 

So, I’ll work with you. I know you’re going to hear from Mr. Pis- 
tole. He’s fairly new at the gate. A lot of this didn’t happen under 
his watch. But, we do need to work with him, with the administra- 
tion, and others, to somehow call a halt to spending hundreds of 
millions of dollars and still, 10 years later, not having a secure ID. 

Thank you. And I’m pleased to be here. 

Senator Lautenberg. We appreciate your presence here. 

Senator Begich, you’ve just come in. Can we proceed with the 
witnesses, or 

Senator Begich. Let me think about it, if you could, Mr. Chair- 
man. I have lots of thoughts on my mind. 

Senator Lautenberg. OK. 

Senator Begich. No, go ahead. 

[Laughter.] 

Senator Lautenberg. All right. And I would call the second 
panel to the table: Mr. John Pistole, the Administrator of the 
Transportation Security Administration. You’re not so new. And 
we’re glad that you’ve brought your experience and leadership to 
the task. We’ll hear from you on the administration’s efforts to im- 
plement the card program. Rear Admiral Kevin Cook, Director of 
Prevention Policy for the United States Coast Guard, to testify on 
the Coast Guard’s role in the TWIG Program. And Mr. Steve Lord, 
Director of Homeland Security and Justice for the GAO, the Gov- 
ernment Accountability Office. And your testimony, I understand is 
going to be on the GAO’s oversight and investigation of this pro- 
gram. 

So, I thank all of you for coming today. 

And, Mr. Pistole, please begin. We have 5 minutes for your testi- 
mony. 

STATEMENT OF HON. JOHN S. PISTOLE, ADMINISTRATOR, 
TRANSPORTATION SECURITY ADMINISTRATION, 

U.S. DEPARTMENT OF HOMELAND SECURITY 

Mr. Pistole. Thank you. Chairman Lautenberg. And good after- 
noon, distinguished members of the Committee. 

I appreciate the opportunity to testify today about Transpor- 
tation Security Administration’s work with the United States Coast 
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Guard on the Transportation Worker Identification Credential Pro- 
gram, or TWIG. 

TWIG Program, of course, authorized by the Maritime Transpor- 
tation Security Act of 2002, MTSA, and the SAFE Port Act, 
strengthens the security of our nation’s port while facilitating trade 
through the provision of a tamper-resistant biometric credential to 
all port workers requiring unescorted access to secure areas of 
these MTSA-regulated port facilities and vessels. 

The purpose of the TWIG Program is to provide a means of posi- 
tively verifying the identify of those seeking access to secure areas, 
and to conduct Security Threat Assessments, or STAs, to determine 
their eligibility, and to deny access to unauthorized individuals. 

Like all security procedures, use of TWIG cards help reduce or 
mitigate risk, but do not eliminate risk, as detailed in the GAO re- 
port. Not only do I agree with the findings and conclusions of the 
GAO report, and have taken initial steps to address the first two 
recommendations — the first three apply to TSA, particularly — but. 
I’ve asked GAO to follow up with a rigorous cost-benefit analysis 
of the entire TWIG Program, in conjunction with DHS, Coast 
Guard, and TSA. I believe this type of comprehensive assessment 
will help us all make judgments on how well we, the U.S. Govern- 
ment and industry, are buying down risk, and the best way for- 
ward with this program. In other words, what’s our return on in- 
vestment? 

To date, TSA has vetted and ruled more than 1.8 million TWIG 
applicants. The majority of transportation workers who have no 
criminal history receive their TWIG within 5 to 10 calendar days 
of submitting an application. Applicants with criminal histories re- 
quire a more stringent review, of course, and generally receive ei- 
ther their TWIG or notification of a potentially disqualifying of- 
fense within 30 calendar days of submitting an application. 

Now, in accordance with the SAFE Port Act of 2006, a TWIG 
pilot is currently being conducted to evaluate the feasibility, as well 
as technical and operational impact, of implementing a transpor- 
tation security card reader. Formal data collection from the pilots 
is expected to be completed in 3 weeks — the end of May. There- 
after, an independent test agent will develop individual participant 
reports for review by TSA and Coast Guard. And we also continue 
to analyze data already collected in the pilot. And we’ll analyze 
new data as it is required. We have drafted a report required by 
section 104 of the SAFE Port Act, and will continue to make fur- 
ther updates to this report until its anticipated delivery to Con- 
gress this summer. These reports, along with direct feedback from 
file participants, will inform decisions regarding Coast Guard’s 
rulemaking that will establish TWIC-reader use requirements. 

I don’t believe this testimony would be complete without mention 
of TSA’s efforts to harmonize the Security Threat Assessments 
across all modes of transportation. We share the goal of Congress 
and stakeholders that STA programs be harmonized to alleviate 
the burden and inconvenience placed on individuals by the need to 
obtain multiple STAs. To this end, we are working on a rulemaking 
that may further — may propose further harmonization of the secu- 
rity threat assessments. To achieve the optimal benefit of this rule, 
new legislation must be enacted that would harmonize different 
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statutorily required procedures that prevent harmonization and 
cannot he changed through rulemaking. TSA looks forward — I look 
forward to working with this committee, and other committees, to 
develop the needed legislation. 

Mr. Chairman, members of the Committee, I thank you for the 
opportunity to appear before you. I look forward to your questions. 
Thank you. 

[The prepared statement of Mr. Pistole follows:] 

Prepared Statement of Hon. John S. Pistole, Administrator, Transportation 
Security Administration, U.S. Department of Homeland Security 

Good morning. Chairman Lautenberg, Ranking Member Hutchison, and distin- 
guished members of the Committee. Thank you for the opportunity to testify today 
about the Transportation Security Administration’s (TSA) work with the United 
States Coast Guard (USCG) on the Transportation Worker Identification Credential 
(TWIC) program. 

The TWIC program, authorized by the Maritime Transportation Security Act of 
2002 (MTSA) and the SAFE Port Act, strengthens the security of our nation’s ports 
while facilitating trade through the provision of a tamper-resistant biometric cre- 
dential to all port workers requiring unescorted access to secure areas of MTSA-reg- 
ulated port facilities and vessels. The mission of the TWIC program is to provide 
a means of positively verifying the identity of those seeking access to secure areas, 
to conduct Security Threat Assessments (STA) to determine their eligibility, and to 
deny access to unauthorized individuals. 

TSA began the national deployment of the TWIC program on October 16, 2007, 
with the enrollment of maritime workers at the Port of Wilmington, DE. A nation- 
wide requirement for individuals to hold a TWIC in order to access MTSA-regulated 
facilities went into effect in April 2009, and TSA continues to operate approximately 
134 enrollment centers located in ports and concentrations of maritime activity 
throughout the United States and its territories. These centers serve the diverse 
population of maritime workers, including truckers, suppliers, maintenance per- 
sonnel and others who require a TWIC to allow them unescorted access to secure 
areas of MTSA-regulated facilities and vessels. 

The process to obtain a TWIC requires two visits to an enrollment center: an ini- 
tial visit to provide biographic and biometric data, and a subsequent visit to activate 
the credential upon successful completion of the STA. While TSA understands that 
this process can pose a burden on transportation workers who do not live within 
close proximity of an enrollment center, the process is critical to verify the identity 
of the individual to whom the credential is to be issued, and TSA has made efforts 
to mitigate this potential burden by operating 135 enrollment centers nationwide 
centered around maritime populations. In addition, TSA allows more remote area 
authorities or organizations to conduct enrollment and activation operations on their 
own for their denned population. TSA continues to actively engage all stakeholders 
to address issues concerning proximity to enrollment centers as well as other chal- 
lenges faced by the maritime population relating to the TWIC program. 

To date, TSA has vetted more than 1.8 million TWIC applicants. The majority of 
transportation workers who have no criminal history receive their TWIC within 5 
to 10 calendar days of submitting an application. Applicants with criminal histories 
require a more stringent review and generally receive either their TWIC or notifica- 
tion of a potentially disqualif 3 dng offense within 30 calendar days of submitting an 
application. Initially, transportation workers who requested redress following an ini- 
tial determination of ineligibility experienced delays in the process necessary to 
reach a decision. TSA took this issue very seriously and, through increased staff and 
adjudicative process improvements, we have been able to significantly reduce the 
wait time for individuals in these scenarios. 

The national implementation of the TWIC as the common credential verifying the 
identity and background suitability significantly enhances national maritime secu- 
rity, which previously relied on a patchwork of private and public identity 
verification and threat assessment architectures to allow access to secure and re- 
stricted areas. 

The STA and associated TWIC must be renewed every 5 years and preparations 
are being made in advance of the impending initial five-year renewal cycle. TSA is 
in the process of developing policies and procedures that will ensure a smooth re- 
newal phase for the transportation workers who rely on this card to do their jobs. 
These procedures will both minimize the operational impact at TWIC enrollment 
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centers and ensure that individuals who have completed the redress process are not 
required to repeat the process when no new criminal information is found. This will 
help prevent adjudication backlogs that the expected surge in renewal enrollments 
might otherwise cause. Throughout this process, TSA will continue to engage the 
stakeholder community in order to minimize the impact of the renewal cycle on af- 
fected workers. 

In addition to renewing the STA and TWIC every 5 years, TSA conducts recurrent 
checks of TWIC holders against terrorist watchlists and has the authority to revoke 
TWICs based on the results of this recurrent vetting. 

In accordance with the SAFE Port Act of 2006, a TWIC pilot is currently being 
conducted to evaluate the feasibility as well as technical and operational impact of 
implementing a transportation security card reader system. Biometric identity 
verification would require workers to present their card to a TWIC card reader and 
place their finger on a biometric sensor. The reader would then verify the worker’s 
identity by matching the fingerprint presented to the fingerprint templates on the 
TWIC. Based on stakeholder feedback to the TWIC Notice of Proposed Rulemaking 
(NPRM) 1 as well as its own analysis, DHS determined that the maritime commer- 
cial environment would benefit from an easy, rapid entrance process, not one that 
included entering a Personal Identification Number (PIN) as is required with the 
Federal Personal Identity Verification (PIV) smart card-based standard for Federal 
employees and contractors.^ TSA and the Coast Guard engaged maritime stake- 
holders, smart card industry experts, and appropriate Federal agency representa- 
tives to develop TWIC specifications that would meet maritime industry require- 
ments for biometric identity verification. 

Formal data collection from the pilots is expected to be completed at the end of 
this month. Thereafter, an independent test agent will develop individual partici- 
pant reports for review by TSA and the Coast Guard. TSA also continues to analyze 
data already collected in the pilot and will analyze new data as it is acquired. TSA 
has drafted the report required by Section 104 of the SAFE Port Act and will con- 
tinue to make further updates to this report until its anticipated delivery to Con- 
gress this summer. These reports, along with the direct feedback from the partici- 
pants, will inform decisions regarding the Coast Guard’s rulemaking that will estab- 
lish TWIC reader use requirements. 

Notwithstanding several factors that contributed to a delay in commencing the 
TWIC Pilot — including the fact that participation in the pilot was voluntary, lim- 
iting DHS’s ability to influence the overall pace of the pilot — the pilot officially 
began with the start of the first reader tests during the Initial Technical Testing 
(ITT) phase on August 20, 2008. The Early Operational Assessment (EOA) phase 
began in April 2009 with the installation of readers in the Port of Brownsville, TX, 
and the System Test and Evaluation (ST&E) phase began in November 2009. Over 
the course of the pilot, approximately 156 portable and fixed readers were in use 
at participating ports and facilities. 

This testimony would not be complete without mention of TSA’s effort to har- 
monize STAs across all modes of transportation. We share the goal of Congress and 
stakeholders that STA programs be harmonized to alleviate the burden and incon- 
venience placed on individuals by the need to obtain multiple STAs. To this end, 
TSA is working on a rulemaking that may propose further harmonization of STAs. 
To achieve the optimal benefit of this rule, new legislation must be enacted that 
would harmonize differing statutorily required procedures that prevent harmoni- 
zation and cannot be changed through rulemaking. TSA will work with Congress 
to develop the needed legislation. 

Mr. Chairman, Ranking Member Hutchison, I thank you for the opportunity to 
appear before you today and I look forward to answering your questions about 
progress in the TWIC program. 

Senator Lautenberg. Thanks very much. 

Admiral your turn. And we look forward to your testimony. 

STATEMENT OF REAR ADMIRAL KEVIN S. COOK, DIRECTOR, 
OF PREVENTION POLICY, U.S. COAST GUARD 

Admiral CooK. Well, good afternoon, Mr. Chairman and distin- 
guished members of the Committee. 


1 71 FR 29396, May 22, 2006. 

2 Federal Information Processing Standards Publication 201—1 March 2006. 
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With your permission, Mr. Chairman, I’d like to have my written 
testimony entered into the record. 

Senator Lautenberg. So it’ll be done. 

Admiral Cook. Thank you for the opportunity to speak with you 
today about the progress the Coast Guard, working together with 
the Transportation Security Administration, has made in imple- 
mentation of the TWIC Program, the ongoing TWIC compliance ef- 
forts for facilities and vessels regulated under the Maritime Trans- 
portation Security Act, or MTSA, and future plans for card readers. 

The Coast Guard remains cognizant of how implementation and 
enforcement of TWIC impacts individuals and their livelihoods 
while balancing security needs with the economic vitality of port 
operations. The TWIC Program, as envisioned under MTSA and 
strengthened by the subsequent requirements of the SAFE Port 
Act, provides an additional layer of security. This is accomplished 
by ensuring all transportation workers and credentialed merchant 
mariners who seek unescorted access to secure areas in approxi- 
mately 2,700 regulated facilities, 12,000 regulated vessels, and 50 
regulated Outer Continental Shelf facilities have been vetted and 
do not pose a security risk to our marine transportation system. 

As of April 15, 2009, applicable Coast Guard-credentialed mari- 
ners, MTSA-regulated facilities and vessels were required to be in 
compliance with the TWIC Program. The Coast Guard, through the 
captain of the port and the area maritime security committees, con- 
tinue to monitor and enforce TWIC regulations by working closely 
with owners and operators. 

Internal guidance documents for training, compliance, and en- 
forcement for Coast Guard personnel have been developed and 
shared with our DHS partners, including TSA and CBP, and state 
and local agencies to promote a unified approach to enforcement 
protocols. 

The SAFE Port Act mandates that the Coast Guard conduct two 
security inspections annually at all MTSA-regulated facilities, with 
one inspection being unannounced. During each of these, TWICs 
are checked by Coast Guard personnel either visually or using bio- 
metric hand-held readers. 

As originally planned with the TWIC rule in 2006, the final step 
of implementation of the TWIC Program is to utilize the full secu- 
rity benefits of the card through the use of readers. Although the 
implementation and reader requirements were originally combined 
in one rulemaking, the Coast Guard and TSA heard loud and clear 
from the industry that further research and a different approach 
for readers was necessary, especially as it applies to incorporating 
contactless reader technology. Our stakeholders spoke, and we lis- 
tened, and agreed to split the rule so that the first phase of the 
TWIC Program, that we’re using now, is based on visual 
verification. Based on industry recommendations, a working speci- 
fication for the use of contactless readers was developed. It is sub- 
sequently being tested through the reader pilot test that Adminis- 
trator Pistole just mentioned. 

In parallel with the pilot testing, the Coast Guard has been 
working on a proposed rulemaking that will address potential re- 
quirements for MTSA vessels and facilities to utilize electronic card 
readers. A key component in this will be informing with the oper- 
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ational, environmental, and technical data from — the TWIC reader 
pilot program brings to our rulemaking. Based on the current sta- 
tus of the pilot program, we hope to be able to publish a notice of 
proposed rulemaking toward the end of calendar year 2011 or early 
in 2012. 

In the meantime, to maximize the security benefits of the TWIC, 
the Coast Guard procured and deployed over 200 hand-held readers 
for use during routine and unscheduled inspections. The Coast 
Guard and TSA developed several supplementary documents to 
help those who are required to comply with the TWIC regulations. 
The latest Policy Advisory Council decision, 01-11, on the vol- 
untary use of TWIC readers was published in the Federal Register 
on the 15th of March, 2011, to assist the marine industry with con- 
sistency in the voluntary use of TWIC readers. 

Also, we recently directed that our captains of the port place a 
higher priority on review and validation of TWIC verification proce- 
dures that are conducted during MTSA inspections. This is being 
done through a direct engagement with facility security officers to 
highlight the importance of properly trained guards, and remind 
them of the training aids that are available on the Coast Guard’s 
Homeport website. 

In conclusion, Mr. Chairman, the TWIC implementation marked 
a major milestone in the MTSA to protect our maritime transpor- 
tation system. Card readers are a key step in maximizing the secu- 
rity benefit. And the Coast Guard is anxiously awaiting the pilot 
test results to help us draft effective regulations, minimizing the 
potential adverse impacts of the reader. While we have accom- 
plished a great deal thus far, we acknowledge that the process has 
not been free from challenges. We will continue to keep the public 
interest in mind and also keep you informed on our progress. 

Thank you for the opportunity to speak with you today. And I 
would be pleased to take any of your questions. 

[The prepared statement of Admiral Cook follows:] 

Prepared Statement of Rear Admiral Kevin S. Cook, 

Director of Prevention Policy, U.S. Coast Guard 

Good morning. Chairman Rockefeller, Ranking Member Hutchison and distin- 
guished members of the Committee. I am Rear Admiral Kevin Cook, U.S. Coast 
Guard Director of Prevention Policy. It is a pleasure to be here today to update you 
on how the Coast Guard, in partnership with the Transportation Security Adminis- 
tration (TSA), continues to implement the Transportation Worker Identification Cre- 
dential (TWIC) program, which strengthens the security of our nation’s ports while 
facilitating trade by adding a layer of security which allows vetted employees with 
a biometric credential to have unescorted access to secure areas. 

TWIC enrollment began in 2007 and today, maritime vessels and facilities within 
all 42 Coast Guard Captain of the Port (COTP) Zones are in compliance with the 
TWIC program. In April of this year, we reached more than 1.8 million enrollments 
for TWIC with no significant impact to commerce and the maritime transportation 
system. Since the Coast Guard and TSA published the TWIC requirements on Janu- 
ary 25, 2007 in a Final Rule, we have been developing regulations, policies, systems 
and capabilities to serve as a solid foundation for enrollment and compliance. The 
deliberate process and careful steps taken to lay this foundation ensure that we gain 
the full security benefit from TWIC. 

Background 

The TWIC program builds on the security framework established by Congress in 
the Maritime Transportation Security Act (MTSA) of 2002. Coast Guard regulations 
stemming from MTSA established security requirements for maritime vessels and 
facilities posing a high risk of being involved in a transportation security incident. 
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The MTSA also required the Secretary of Homeland Security to issue a biometric 
transportation security card to all licensed and documented U.S. mariners, as well 
as those individuals granted unescorted access to secure areas of MTSA-regulated 
vessels and facilities. TSA was assigned this requirement, and because of our over- 
lapping responsibilities, the Coast Guard and TSA formally joined efforts to carry 
out the TWIC program in November 2004. In this partnership, TSA is responsible 
for TWIC enrollment, security threat assessment and adjudication, card production, 
technology, TWIC issuance, conduct of the TWIC appeal and waiver process as it 
pertains to credential issuance, and management of government support systems. 
The Coast Guard is responsible for establishing and enforcing TWIC access control 
requirements for MTSA-regulated vessels and facilities. 

TSA and the Coast Guard published a joint TWIC Notice of Proposed Rulemaking 
(NPRM) on May 22, 2006. Following the publication of the NPRM and the subse- 
quent comment period. Congress enacted the Security and Accountability for Every 
Port Act of 2006 (the SAFE Port Act). The SAFE Port Act created new statutory 
requirements for the TWIC Program, including: the commencement of a pilot pro- 
gram to test the viability of TWIC cards and readers in the maritime environment; 
deployment of the program in priority ports by set deadlines; inclusion of a provision 
to allow newly hired employees to work while their TWIC application is being proc- 
essed; and concurrent processing of the TWIC and merchant mariner applications. 

TSA and the Coast (juard published the TWIC Final Rule on January 25, 2007, 
in which the Coast Guard’s MTSA regulations and TSA’s Hazardous Material En- 
dorsement regulations were amended to incorporate the TWIC requirements. After 
receiving many comments regarding technology issues of the reader requirements 
as proposed in the NPRM, we removed from the hnal rule the requirement to install 
TWIC readers at vessels and facilities. This requirement is currently being ad- 
dressed in a second rulemaking, which I will discuss later. 

Policy 

The Coast Guard and TSA developed several supplementary documents to help 
those who are required to comply with the TWIC regulation. To explain in detail 
how the Coast Guard intends to apply TWIC regulations, we established policy guid- 
ance in the form of a Navigation and Vessel Inspection Circular (NViC) and pro- 
vided answers in 16 Policy Advisory Council documents that have been published 
since November 21, 2007. 

The Policy Advisory Council was established during the original implementation 
of the MTSA regulations. It is made up of Coast Guard representatives from head- 
quarters and field level commands that are charged with considering questions from 
stakeholders and/or held offices to ensure consistent interpretation of regulation. 
The latest Policy Advisory Council Decision 01-11 on the voluntary use of TWIC 
readers was published in the Federal Register on March 15, 2011. This guidance 
document will assist the maritime industry and general public with TWIC reader 
requirements and is designed to ensure consistent installation for the voluntary use 
of TWIC readers for electronic identity verihcation across MTSA-regulated facilities 
and vessels. 

Stakeholder Engagement and Outreach 

Engagement with affected stakeholders continues to be crucial to successful imple- 
mentation, and the regulatory process is one of the most important vehicles for the 
public to voice concerns and provide comment on the TWIC program. For example, 
responses received during the TWIC NPRM comment period provided valuable in- 
sight into the unique operational issues facing labor, maritime facilities and vessels 
required to comply with TWIC requirements. Comments regarding the technological 
and economic feasibility of employing the TWIC cards and card readers in the mari- 
time environment led to splitting the rule, with the card reader requirements form- 
ing a separate, pending rulemaking. The Coast Guard published the TWIC Reader 
Requirements Advanced Notice of Proposed Rulemaking (ANPRM) on March 27, 
2009, which again afforded the public and maritime community an opportunity to 
shape future TWIC requirements. 

Since publication of the TWIC Final Rule and TWIC Reader Requirements 
ANPRM, the Coast Guard and TSA have conducted numerous outreach events at 
national venues such as: the American Trucking Association; Association of Amer- 
ican Railroads; American Short Line and Regional Railroad Association; Passenger 
Vessel Association; American Waterways Operators; National Association of Charter 
Boat Operators; National Association of Waterfront Employers; National Petro- 
chemical Refiners Association meetings; smart card and biometric industry con- 
ferences; maritime union meetings; American Association of Port Authorities con- 
ferences; and many others. In addition, quarterly TWIC Stakeholder Communica- 
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tion Committee meetings are being held and remain an important avenue for keep- 
ing the public informed and creating the opportunity for open dialogue. 

The Coast Guard, through COTP and Area Maritime Security Committees, con- 
tinues to closely monitor and encourage enrollment for TWIC and work collabo- 
ratively with owners and operators of regulated facilities and vessels to ensure com- 
pliance and enforcement of the TWIC program. 

Reader Pilot Testing 

In accordance with the SAFE Port Act of 2006, a TWIC pilot is currently being 
conducted to evaluate the feasibility as well as technical and operational impact of 
implementing a transportation security card reader system. TSA and the Coast 
Guard have begun operational testing of the TWIC card readers at geographically 
and operationally diverse port and vessel locations and formal data collection should 
be completed on May 31, 2011. Thereafter, individual participant reports will be de- 
veloped by an independent test agent and then reviewed by TSA and the Coast 
Guard. These individual participant-level reports, along with the direct feedback 
from the participants, will be the primary data source for the Coast Guard to move 
forward in the next phase of the TWIC reader rulemaking. 

Reader Requirements 

Per the SAFE Port Act, the Coast Guard is required to use the pilot report to in- 
form a final reader rulemaking. The Coast Guard, with the support of TSA, is devel- 
oping a second TWIC reader requirements rule that will serve to meet the require- 
ment for electronic TWIC readers in the maritime environment. This rulemaking 
will apply requirements in a risk-based fashion to leverage security benefits and ca- 
pabilities. The Coast Guard solicited and received valuable input and recommenda- 
tions from the Towing Safety Advisory Committee, Merchant Marine Personnel Ad- 
visory Committee, and the National Maritime Security Advisory Committee on spe- 
cific aspects of potential applications of readers for vessels and facilities. As in all 
aspects of the TWIC program, our goal is to enhance maritime security while bal- 
ancing impacts on the stakeholders, who are at the forefront of providing that secu- 
rity. As we evaluate the economic and operational impact on the maritime industry 
we will continue to seek input and recommendations to develop and issue regula- 
tions requiring industry compliance. 

Compliance 

The Coast Guard has the primary responsibility for ensuring compliance with the 
TWIC regulations. We continue to work extensively with our DHS partners, includ- 
ing TSA and U.S. Customs and Border Protection, as well as state and local agen- 
cies to enhance partnerships and develop enforcement assistance protocols. 

All of the approximately 2,700 maritime facilities impacted by the TWIC regula- 
tions are — and have been — in compliance as of the April 15, 2009 implementation 
date. The Coast Guard continues to conduct both announced and unannounced spot 
checks to ensure compliance with the TWIC regulations. 

To fully leverage the security benefits of the TWIC and other credentials, the 
Coast Guard has deployed 218 multi-use biometric handheld readers nationwide. 
The use of these readers serves as the primary means of TWIC verification during 
Coast Guard compliance activities. Over the past 2 years since the national compli- 
ance date, the Coast Guard has verified more than 150,000 TWICs through a com- 
bination of visual and electronic verification methods. 

The use of readers by the Coast Guard and industry alike reduces the risk of suc- 
cessful counterfeit attempts and further adds to the ability to identify authentic cre- 
dentials that have been revoked at some point after activation and delivery. 

The Way Ahead 

The Coast Guard continues to focus on the enforcement of the TWIC regulations 
and deployment of handheld readers will continue to enhance these efforts. Approxi- 
mately 130 additional readers are scheduled for deplojmient in 2011. 

We recently directed our COTPs to place higher priority on review and validation 
of TWIC verification procedures during required MTSA inspections. This review and 
validation is being done through direct engagement with Facility Security Officers 
to highlight the importance of properly trained guards and remind them of the 
training aids available. 

Our ongoing compliance efforts in combination with the future reader require- 
ments on commercial vessels and facilities through rulemaking are critical in ensur- 
ing the security of America’s maritime transportation system. 
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Conclusion 

We continue to work closely with TSA to facilitate outreach to the maritime in- 
dustry in an effort to enhance the overall TWIC experience for workers and mari- 
time operators — from improving the enrollment and activation processes to ensuring 
the necessary guidance and support is in place for maritime operator enforcement. 
We have accomplished important milestones, strengthened working relationships 
with public and industry stakeholders, and held a steadfast commitment to securing 
the maritime transportation system while facilitating commerce. As we continue to 
make improvements regarding compliance, enforcement, and continued industry en- 
gagement, we will ensure Congress remains informed of our progress. 

Thank you for the opportunity to testify today. I look forward to your questions. 

Senator Lautenberg. Thank you, Admiral Cook. 

And Mr. Steve Lord, we invite you to give your testimony. 

STATEMENT OF STEPHEN M. LORD, DIRECTOR, 
HOMELAND SECURITY AND JUSTICE ISSUES. 

U.S. GOVERNMENT ACCOUNTABILITY OFFICE 

Mr. Lord. Thank you, Mr. Chairman and distinguished members 
of the Committee. 

I’m really pleased to be here today to discuss the findings of our 
TWIC report, which is being publicly released today. As you know, 
TSA and the Coast Guard jointly manage the TWIC Program, 
which requires maritime workers to obtain a biometric ID card to 
access secure areas of MTSA-regulated facilities and vessels. 

Today, I would like to discuss two issues: the internal controls 
governing TWIC enrollment, background checking, and use, as well 
as DHS assessments of the effectiveness of this program. 

The main point that I’d like to convey today is that internal con- 
trol weaknesses in the TWIC Program’s enrollment and back- 
ground checking process do not provide what we deem as reason- 
able assurance in meeting key security goals; in other words, that 
only qualified individuals are acquiring TWICs. And second, once 
issued a TWIC, TWIC holders maintain their eligibility for holding 
the card. For example, we found that the flags raised by enrollment 
personnel or electronic document scanners were not being system- 
atically used during the background checking process to verify an 
applicant’s identification. This helps explain why our special inves- 
tigators were not detected when using counterfeit or fraudulent ap- 
plication documents to acquire TWICs. TSA also does not verify 
that applicants need a TWIC for employment-related reasons. In 
other words, there’s not employee sponsorship, unlike other govern- 
ment credentials. We also found that program adjudicators do not 
use clear criteria when reviewing TWIC applicants with extensive, 
nondisqualifying criminal convictions, such as larceny and theft. 
This is an important issue, as about 461,000 TWIC holders have 
a criminal record, based on the results from the FBI. And this is 
about 27 percent of the total TWIC-holder population. 

Finally, we also found that program controls did not provide rea- 
sonable assurance that TWIC holders continue to meet immigra- 
tion eligibility requirements once they acquire TWIC. For example, 
the program does not issue TWICs for a term less than 5 years, to 
match the expiration of a visa. Instead, TSA relies on TWIC hold- 
ers and employers to report if a worker is no longer legally present 
in the country. 

The weaknesses I’ve discussed may have contributed to the 
breach of MTSA-regulated ports and facilities during the covert 
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tests we ran. During these tests, our investigators were successful 
in accessing ports using either counterfeit TWICs or real TWICs 
acquired through fraudulent means, paired with a false business 
case for entering a facility. 

And regarding our second key research objective, in seeking to 
determine the impact of the program, we found that DHS has not 
assessed the program’s effectiveness in enhancing port security, a 
key program goal. Thus, it’s unclear, at this point, whether the pro- 
gram is more effective or less effective than prior approaches used 
to enhance port and vessel security. Our report findings would 
question the other witness’ statement that the program signifi- 
cantly enhances national maritime security. 

Today’s report makes several important recommendations to ad- 
dress the internal control weaknesses we identified. For example, 
our report is recommending that DHS complete an internal control 
assessment to identify other potential holes in the system, as well 
as identifying cost-effective fixes. We also recommended that DHS 
conduct a formal assessment to clarify how the program will im- 
prove security, beyond the port efforts already in place. We also 
recommended that the Coast Guard improve the quality of the in- 
formation used to monitor and enforce TWIG compliance. The good 
news I’d like to report today, Mr. Chairman, is that the DHS, TSA, 
and the Coast Guard all agreed to implement all our report rec- 
ommendations. 

In closing, before proceeding on the path to full implementation, 
with potentially billions of dollars at stake, it’s important that Con- 
gress and industry stakeholders fully understand the program’s 
current strengths, current weaknesses, and the likely cost of miti- 
gating the risks we’ve identified in the report we’re releasing today. 

Mr. Chairman, this concludes my prepared testimony. I look for- 
ward to answering any questions that you or other members of the 
Committee may have. 

Thank you. 

[The prepared statement of Mr. Lord follows:] 

Prepared Statement of Stephen M. Lord, Director, Homeland Security and 
Justice Issues, U.S. Government Accountability Office 

Chairman Rockefeller, Ranking Member Hutchison, and members of the Com- 
mittee: 

I am pleased to be here today to discuss credentialing issues associated with the 
security of U.S. transportation systems and facilities. Securing these systems re- 
quires balancing security to address potential threats while facilitating the flow of 
people and goods that are critical to the U.S. economy and international commerce. 
As we have previously reported, these systems and facilities are vulnerable and dif- 
ficult to secure given their size, easy accessibility, large number of potential targets, 
and proximity to urban areas. ^ The Maritime Transportation Security Act of 2002 
(MTSA) required regulations preventing individuals from having unescorted access 
to secure areas of MTSA-regulated facilities and vessels unless they possess a bio- 
metric transportation security card and are authorized to be in such an area. MTSA 
further required that biometric transportation security cards be issued to eligible in- 
dividuals unless determined that an applicant poses a security risk warranting de- 
nial of the card. The Transportation Worker Identification Credential (TWIC) pro- 


^See GAO, Transportation Worker Identification Credential: Progress Made in Enrolling 
Workers and Activating Credentials but Evaluation Plan Needed to Help Inform the Implemen- 
tation of Card Readers, GAO-10^3 (Washington, D.C.: Nov. 18, 2009). 
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gram is designed to implement these biometric maritime security card require- 
ments.^ 

The TWIC program, once implemented, aims to meet the following stated mission 
needs: 

Positively identify authorized individuals who require unescorted access to se- 
cure areas of the nation’s transportation system. 

Determine the eligibility of individuals to be authorized unescorted access to se- 
cure areas of the transportation system by conducting a security threat assess- 
ment. 

Ensure that unauthorized individuals are not able to defeat or otherwise com- 
promise the access system in order to be granted permissions that have been 
assigned to an authorized individual. 

Identify individuals who fail to maintain their eligibility requirements subse- 
quent to being permitted unescorted access to secure areas of the Nation’s 
transportation system and immediately revoke the individual’s permissions. 

Within the Department of Homeland Security (DHS), the Transportation Security 
Administration (TSA) and the U.S. Coast Guard are responsible for implementing 
and enforcing the TWIC program. In addition, DHS’s Screening Coordination Office 
facilitates coordination among the various DHS components involved in TWIC. 

My statement is based on a report we are releasing publicly today on the TWIC 
program.^ Like the report, it will discuss the extent to which: (1) TWIC processes 
for enrollment, background checking, and use are designed to provide reasonable as- 
surance that unescorted access to secure areas of MTSA-regulated facilities and ves- 
sels is limited to qualified individuals, and (2) DHS has assessed the effectiveness 
of TWIC, and whether the Coast Guard has effective systems in place to measure 
compliance. 

For the report, we reviewed applicable laws, regulations, and policies, as well as 
documentation provided by TSA on the TWIC program systems and processes. We 
also reviewed the processes and data sources with TWIC program management from 
TSA and Lockheed Martin (the contractor responsible for implementing the pro- 
gram) and met with officials from TSA and the Coast Guard, as well as the Crimi- 
nal Justice Information Services Division at the Federal Bureau of Investigation 
(FBI). We then evaluated the processes against the TWIC program’s mission needs 
and Standards for Internal Control in the Federal Government.^ Further, our inves- 
tigators conducted covert testing at enrollment center(s) to identify whether individ- 
uals providing fraudulent information could acquire an authentic TWIC, and at 
maritime ports with MTSA-regulated facilities and vessels to identify security 
vulnerabilities and program control deficiencies. In addition, we reviewed the type 
and substance of management information available to the Coast Guard and com- 
pared them to Standards for Internal Control in the Federal Government. We con- 
ducted this work in accordance with generally accepted government auditing stand- 
ards. We conducted our related investigative work in accordance with standards pre- 
scribed by the Council of the Inspectors General on Integrity and Efficiency. 


2 The program requires maritime workers to complete background checks to obtain a biometric 
identification card and be authorized to be in the secure area by the owner/operator in order 
to gain unescorted access to secure areas of MTSA-regulated facilities and vessels. Under Coast 
Guard regulations, a secure area, in general, is an area over which the owner/operator has im- 
plemented security measures for access control in accordance with a Coast Guard-approved se- 
curity plan. For most maritime facilities, the secure area is generally any place inside the outer- 
most access control point. For a vessel or outer continental shelf facility, such as off-shore petro- 
leum or gas production facilities, the secure area is generally the whole vessel or facility. Bio- 
metrics refers to technologies that measure and analyze human body characteristics for authen- 
tication purposes. The Department of Homeland Security (DHS) has estimated that imple- 
menting the TWIC program could cost the Federal Government and the private sector a com- 
bined total of between $694.3 million and $3.2 billion over a ten-year period. However, these 
figures do not include costs associated with implementing and operating readers. A pilot on the 
use of TWIC with card readers is currently underway and will inform a proposed TWIC regula- 
tion, and these figures are to be updated as part of this process. 

^See GAO, Transportation Worker Identification Credential: Internal Control Weaknesses 
Need to be Corrected to Help Achieve Security Objectives, GAO— 11— 657 (Washington, D.C.: May 
10, 2011). 

^GAO, Standards for Internal Control in the Federal Government, GAO/AIMD— 00-21.3.1 
(Washington, D.C.: November 1999). 
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Internal Control Weaknesses in DHS’s Biometrie Transportation ID 
Program Hinder Efforts to Ensure Security Objectives Are Fully 
Achieved 

DHS has established a system of TWIC-related processes and controls. However, 
internal control weaknesses governing the enrollment, background checking, and 
use of TWIC potentially limit the program’s ability to meet the program’s stated 
mission needs or provide reasonable assurance that access to secure areas of MTSA- 
regulated facilities is restricted to qualified individuals. Specifically, internal con- 
trols ® in the enrollment and background checking processes are not designed to pro- 
vide reasonable assurance that: (1) only qualified individuals can acquire TWICs; (2) 
adjudicators follow a process with clear criteria for applying discretionary authority 
when applicants are found to have extensive criminal convictions; or (3) once issued 
a TWIC, TWIC holders have maintained their eligibility. 

To meet the stated program purpose, TSA’s focus in designing the TWIC program 
was on facilitating the issuance of TWICs to maritime workers. However, TSA did 
not assess the internal controls in place to determine whether they provided reason- 
able assurance that the program could meet defined mission needs for limiting ac- 
cess to only qualified individuals. For example, controls that the TWIC program has 
in place to identify the use of potentially counterfeit identity documents are not 
used to routinely inform background checking processes. Additionally, controls are 
not in place to determine whether an applicant has a need for a TWIC. For example, 
regulations governing the TWIC program security threat assessments require appli- 
cants to disclose their job description and location(s) where they will most likely re- 
quire unescorted access, if known, among other things. However, TSA enrollment 
processes do not require that this information be provided by applicants. 

In addition, TWIC program controls are not designed to require that adjudicators 
follow a process with clear criteria for appl 3 dng discretionary authority when appli- 
cants are found to have extensive criminal convictions. Being convicted of a felony 
does not automatically disqualify a person from being eli^ble to receive a TWIC; 
however, prior convictions for certain crimes are automatically disqualifying.® For 
example, offenses such as espionage or treason would permanently disqualify an in- 
dividual from obtaining a TWIC. Other offenses, such as murder or the unlawful 
possession of an explosive device, while categorized as permanent disqualifiers, are 
also eligible for a waiver under TSA regulations. These offenses might not perma- 
nently disqualify an individual from obtaining a TWIC if TSA determines that an 
applicant does not represent a security threat. As of September 8, 2010, the agency 
reported 460,786 cases where the applicant was approved, but had a criminal record 
based on the results from the FBI. This represents approximately 27 percent of indi- 
viduals approved for a TWIC at the time. Although TSA has the discretion and au- 
thority to consider the totality of an individual’s criminal record, including the exist- 
ence of: (1) extensive criminal convictions, (2) criminal offenses not defined as a per- 
manent or interim disqualif 3 dng criminal offense, such as theft or larceny, and (3) 
certain periods of imprisonment, TSA has not developed a definition for what exten- 
sive foreign or domestic criminal convictions means, or developed guidance to ensure 
that adjudicators apply this authority consistently. In commenting on our report, 
DHS concurred with our related recommendation, and consequently may address 
this weakness as part of its efforts to correct internal control weaknesses in the 
TWIC program. 

Further, TWIC program controls are not designed to provide reasonable assurance 
that TWiC holders have maintained their eligibility once issued TWICs. For exam- 
ple, controls are not designed to determine whether TWIC holders have committed 
disqualifying crimes at the Federal or state level after being granted a TWIC. Al- 
though existing policies may hamper TSA’s ability to check FBI-held fingerprint- 
based criminal history records for the TWIC program on an ongoing basis after 
TWIC issuance, TSA has not explored alternatives for addressing this weakness, 
such as informing facility and port operators of this weakness and identifying solu- 
tions for leveraging existing state criminal history information, where available. In 


®In accordance with Standards for Internal Control in the Federal Government, the design 
of the internal controls is to he informed by identified risks the program faces from both internal 
and external sources; the possible effect of those risks; control activities required to mitigate 
those risks; and the cost and benefits of mitigating those risks. 

® Threat assessment processes for the TWIC program include conducting background checks 
to determine whether each TWIC applicant poses a security threat. These checks, in general, 
can include checks for criminal history records, immigration status, terrorism databases and 
watchlists, and records indicating an adjudication of a lack of mental capacity, among other 
things. As defined in TSA implementing regulations, the term security threat means an indi- 
vidual who TSA determines or suspects of posing a threat to national security, to transportation 
security, or of terrorism. 
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addition, controls are not designed to provide reasonable assurance that TWIC hold- 
ers continue to meet immigration status eligibility requirements. For example, if a 
TWIC holder’s stated period of legal presence in the United States is about to expire 
or has expired, the TWIC program does not request or require proof from TWIC 
holders to show that they continue to maintain legal presence in the United States. 
Additionally, although it has regulatory authority to do so, the program does not 
issue TWICs for a term less than 5 years to match the expiration of a visa.’’ 

Internal control weaknesses in TWIC enrollment, background checking, and use 
could have contributed to the breach of selected MTSA-regulated facilities during 
covert tests conducted by our investigators. During these tests at several selected 
ports, our investigators were successful in accessing ports using counterfeit TWICs, 
authentic TWICs acquired through fraudulent means, and false business cases (i.e., 
reasons for requesting access). Our investigators did not gain unescorted access to 
a port where a secondary port-specific identification was required in addition to the 
TWIC. TSA and Coast Guard officials stated that the TWIC card alone is not suffi- 
cient and that the cardholder is also required to present a business case. However, 
our covert tests demonstrated that having an authentic TWIC and a legitimate busi- 
ness case were not always required in practice. 

Prior to fielding the program, TSA did not conduct a risk assessment of the TWIC 
program to identify program risks and the need for controls to mitigate existing 
risks and weaknesses, as called for by internal control standards. Such an assess- 
ment could help provide reasonable assurance that control weaknesses in one area 
of the program do not undermine the reliability of other program areas or impede 
the program from meeting mission needs. TWiC program officials told us that con- 
trol weaknesses were not addressed prior to initiating the TWIC program because 
they had not previously identified them, or because they would be too costly to ad- 
dress. However, as we noted in our report, officials did not provide: (1) documenta- 
tion to support their cost concerns and (2) did not complete an assessment of wheth- 
er they needed to implement additional compensating controls or of the risks associ- 
ated with not correcting for existing internal control weaknesses. In our May 2011 
report, we recommended that the Secretary of Homeland Security perform an inter- 
nal control assessment of the TWIC program by: (1) analyzing existing controls, (2) 
identifying related weaknesses and risks, and (3) determining cost-effective actions 
needed to correct or compensate for those weaknesses so that reasonable assurance 
of meeting TWIC program objectives can be achieved. This assessment should con- 
sider weaknesses we identified in this report among other things. DHS officials con- 
curred with our recommendation. 

TWIC’s Effectiveness at Enhancing Security Has Not Been Assessed, and 
the Coast Guard Lacks the Ability to Assess Trends in TWIC 
Compliance 

DHS asserted in its 2009 and 2010 budget submissions that the absence of the 
TWIC program would leave America’s critical maritime port facilities vulnerable to 
terrorist activities.® However, to date, DHS has not assessed the effectiveness of 
TWIC at enhancing security or reducing risk for MTSA-regulated facilities and ves- 
sels. Further, DHS has not demonstrated that TWIC, as currently implemented and 
planned with card readers, is more effective than prior approaches used to limit ac- 
cess to ports and facilities, such as using facility-specific identity credentials with 
business cases. 

According to TSA and Coast Guard officials, because the program was mandated 
by Congress as part of MTSA, DHS did not conduct a risk assessment to identify 
and mitigate program risks prior to implementation. Further, according to these of- 
ficials, neither the Coast Guard nor TSA analyzed the potential effectiveness of 


"^Instead, TSA relies on: (1) TWIC holders to self-report if they no longer have legal presence 
in the country, and (2) employers to report if a worker is no longer legally present in the coun- 
try. TWIC-related regulations provide, for example, that individuals disqualified from holding 
a TWIC for immigration status reasons must surrender the TWIC to TSA. In addition, the regu- 
lations provide that TWICs are deemed to have expired when the status of certain lawful non- 
immigrants with a restricted authorization to work in the United States (e.g., H-lBl Free Trade 
Agreement) expires, the employer terminates the employment relationship with such an appli- 
cant, or such applicant otherwise ceases working for the employer, regardless of the date on the 
face of the TWIC. Upon the expiration of such nonimmigrant status for an individual who has 
a restricted authorization to work in the United States, the employer and employee hoth have 
related responsihilities — the employee is required to surrender the TWIC to the employer, and 
the employer is required to retrieve the TWIC and provide it to TSA. 

®See DHS, DHS Exhibit 300 Public Release BYIO/TSA — Transportation Worker Identification 
Credentialing (TWIC) (Washington, D.C.: Apr. 17, 2009) and DHS Exhibit 300 Public Release 
BY09/TSA — Transportation Worker Identification Credentialing (TWIC) (Washington, D.C.: July 
27, 2007). 
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TWIC in reducing or mitigating security risk — either before or after implementa- 
tion — because they were not required to do so by Congress. However, internal con- 
trol weaknesses raise questions about the effectiveness of the TWIC program. More- 
over, as we have previously reported. Congress also needs information on whether 
and in what respects a program is working well or poorly to support its oversight 
of agencies and their budgets, and agencies’ stakeholders need performance informa- 
tion to accurately judge program effectiveness. Therefore, we recommended in our 
May 2011 report that the Secretary of Homeland Security conduct an effectiveness 
assessment that includes addressing internal control weaknesses and, at a min- 
imum, evaluates whether use of TWIC in its present form and planned use with 
readers would enhance the posture of security beyond efforts already in place given 
costs and program risks. DHS concurred with our recommendation. 

Further, Executive Branch requirements provide that prior to issuing a new regu- 
lation, agencies are to conduct a regulatory analysis, which is to include an assess- 
ment of costs, benefits, and risks. Therefore, DHS is required to issue a new regu- 
latory analysis for its proposed regulation on the use of TWIC with biometric card 
readers. Conducting a regulatory analysis using the information from the internal 
control and effectiveness assessments could better inform the new regulatory anal- 
ysis and could help DHS identify and assess the full costs and benefits of imple- 
menting the TWIC program. Therefore, in our May 2011 report, we recommended 
that the Secretary of Homeland Security use the information from the internal con- 
trol and effectiveness assessments as the basis for evaluating the costs, benefits, se- 
curity risks, and corrective actions needed to implement the TWIC program. This 
should be done in a manner that will meet stated mission needs and mitigate exist- 
ing security risks as part of the regulatory analysis being completed for the new 
TWIC biometric card reader regulation. DHS concurred with our recommendation. 

Finally, the Coast Guard’s approach for monitoring and enforcing TWIC compli- 
ance nationwide could be improved by enhancing its collection and assessment of 
related maritime security information. For example, the Coast Guard tracks TWIC 
program compliance, but the processes involved in the collection, cataloguing, and 
querying of information cannot be relied on to produce the management information 
needed to assess trends in compliance with the TWIC program or associated 
vulnerabilities. The Coast Guard uses its Marine Information for Safety and Law 
Enforcement (MISLE) database to monitor activities related to MTSA-regulated fa- 
cility and vessel oversight, including observations of TWIC-related deficiencies. 
Coast Guard officials reported that they are making enhancements to the MISLE 
database and plan to distribute updated guidance on how to collect and input infor- 
mation. However, as of May 2011, the Coast Guard had not yet set a date for imple- 
menting these changes. Further, these enhancements do not address all weaknesses 
identified in our report that hamper the Coast Guard’s efforts to conduct trend anal- 
ysis of the deficiencies as part of its compliance reviews. Therefore, in our May 2011 
report, we recommended that the Secretary of Homeland Security direct the Com- 
mandant of the Coast Guard to design effective methods for collecting, cataloguing, 
and querying TWIC-related compliance issues to provide the Coast Guard with the 
enforcement information needed to assess trends in compliance with the TWIC pro- 
gram and identify associated vulnerabilities. DHS concurred with our recommenda- 
tion. 

As the TWIC program continues on the path to full implementation — with poten- 
tially billions of dollars needed to install TWIC card readers in thousands of the na- 
tion’s ports, facilities, and vessels at stake — it is important that Congress, program 
officials, and maritime industry stakeholders fully understand the program’s poten- 
tial benefits and vulnerabilities, as well as the likely costs of addressing these po- 
tential vulnerabilities. The report we are releasing today aims to help inform stake- 
holder views on these issues. 

Chairman Rockefeller, Ranking Member Hutchison, and members of the Com- 
mittee, this concludes my prepared testimony. I look forward to answering any ques- 
tions that you may have. 
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Attachment 

U.S. Government Accountability Office (GAO) — Report to Congressional Requesters — 
May 2011 — Transportation Worker Identification Credential 

Internal Control Weaknesses Need to Be Correeted to Help Achieve 
Security Objectives 

Abbreviations 

ATSA — ^Aviation and Transportation Security Act 

CSOC — Colorado Springs Operations Center 

DHS — Department of Homeland Security 

FBI — Federal Bureau of Investigation 

FEMA — Federal Emergency Management Agency 

lAFIS — Integrated Automated Eingerprint Identification System 

III — Interstate Identification Index 

MISLE — Marine Information for Safety and Law Enforcement 

MSRAM — Maritime Security Risk Analysis Model 

MTSA — Maritime Transportation Security Act 

NCIC — National Crime Information Center 

NIPP — National Infrastructure Protection Plan 

SAFE Port Act — Security and Accountability For Every Port Act 

SAVE — Systematic Alien Verification for Entitlements 

TSA — Transportation Security Administration 

TWIC — Transportation Worker Identification Credential 


May 10, 2011 

Congressional Requesters 

Securing transportation systems and facilities requires balancing security to ad- 
dress potential threats while facilitating the flow of people and goods that are crit- 
ical to the United States economy and necessary for supporting international com- 
merce. As we have previously reported, these systems and facilities are vulnerable 
and difficult to secure given their size, easy accessibility, large number of potential 
targets, and proximity to urban areas. ^ 

The Maritime Transportation Security Act of 2002 ^ (MTSA) required the Sec- 
retary of Homeland Security to prescribe regulations preventing individuals from 
having unescorted access to secure areas of MTSAregulated facilities and vessels 
unless they possess a biometric transportation security card and are authorized to 
be in such an area.^ MTSA further tasked the Secretary with the responsibility to 
issue biometric transportation security cards to eligible individuals unless the Sec- 
retary determines that an applicant poses a security risk warranting denial of the 
card. The Transportation Worker Identification Credential (TWIC) program is de- 
signed to implement these biometric maritime security card requirements. The pro- 
gram requires maritime workers to complete background checks to obtain a biomet- 
ric identification card and be authorized to be in the secure area by the owner/oper- 
ator in order to gain unescorted access to secure areas of MTSA-regulated facilities 


1 See GAO, Transportation Worker Identification Credential: Progress Made in Enrolling Work- 
ers and Activating Credentials hut Evaluation Plan Needed to Help Inform the Implementation 
of Card Readers, GAO-10-43 (Washington, D.C.: Nov. 18, 2009); Transportation Security: DHS 
Should Address Key Challenges before Implementing the Transportation Worker Identification 
Credential Program, GAO-06— 982 (Washington, D.C.: Sept. 29, 2006); and Port Security: Better 
Planning Needed to Develop and Operate Maritime Worker Identification Card Program, GAO- 
05-106 (Washington, D.C.: Dec. 10, 2004). 

2 Pub. L. No. 107-295, 116 Stat. 2064 (2002). 

2 Under Coast Guard regulations, a secure area, in general, is an area over which the owner/ 
operator has implemented security measures for access control in accordance with a Coast 
Guard-approved security plan. For most maritime facilities, the secure area is generally any 
place inside the outer-most access control point. For a vessel or outer continental shelf facility, 
such as off-shore petroleum or gas production facilities, the secure area is generally the whole 
vessel or facility. 
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and vessels.^ According to the Coast Guard, as of December 2010 and January 2011, 
there were 2,509 facilities and 12,908 vessels, respectively, which are subject to 
MTSA regulations and must implement TWIC provisions.® 

Within the Department of Homeland Security (DHS), the Transportation Security 
Administration (TSA) and the U.S. Coast Guard are responsible for implementing 
and enforcing the TWIC program. TSA’s responsibilities include enrolling TWIC ap- 
plicants, conducting background checks to assess the individual’s security threat, 
and issuing TWICs. The Coast Guard is responsible for developing TWIC-related se- 
curity regulations and ensuring that MTSA-regulated maritime facilities and vessels 
are in compliance with these regulations. In addition, DHS’s Screening Coordination 
Office facilitates coordination among the various DHS components involved in 
TWIC, such as TSA and the Coast Guard, as well as the U.S. Citizenship and Immi- 
gration Services, which personalizes the credentials,® and the Federal Emergency 
Management Agency, which administers grant funds in support of the TWIC pro- 
gram. 

In January 2007, a federal regulation (known as the TWIC credential rule) set 
a compliance deadline, subsequently extended to April 15, 2009, whereby each mari- 
time worker seeking unescorted access to secure areas of MTSA-regulated facilities 
and vessels must possess a TWIC.'^ In September 2008, we reported that TSA, the 
Coast Guard, and maritime industry stakeholders ie.g., operators of MTSA-regu- 
lated facilities and vessels) had faced challenges in implementing the TWIC pro- 
gram, including enrolling and issuing TWICs to a larger population than was origi- 
nally anticipated, ensuring that TWIC access control technologies perform effec- 
tively in the harsh maritime environment, and balancing security requirements with 
the flow of maritime commerce.® In November 2009, we reported that progress had 
been made in enrolling workers and activating TWICs, and recommended that TSA 
develop an evaluation plan to guide pilot efforts and help inform the future imple- 
mentation of TWIC with electronic card readers.® DHS generally concurred and dis- 
cussed actions to implement the recommendations, but these actions have not yet 
fully addressed the intent of all of the recommendations. Currently, TWICs are pri- 
marily used as visual identity cards — known as a flashpass — where a card is to be 
visually inspected before a cardholder is allowed unescorted access to a secure area 
of a MTSA-regulated port or facility. As of January 6, 2011, TSA reported over 
1.7 million enrollments and 1.6 million cards issued and activated.^^^ 

In response to your request, we evaluated the extent to which TWIC program con- 
trols provide reasonable assurance that unescorted access to secure areas of MTSA- 
regulated facilities and vessels is limited to those possessing a legitimately issued 
TWIC and who are authorized to be in such an area. Specifically, this report ad- 
dresses the following questions: 

1. To what extent are TWIC processes for enrollment, background checking, and 
use designed to provide reasonable assurance that unescorted access to secure 
areas of MTSA-regulated facilities and vessels is limited to qualified individ- 
uals? 

2. To what extent has DHS assessed the effectiveness of TWIC, and does the 
Coast Guard have effective systems in place to measure compliance? 

This report is a public version of a related sensitive report that we issued to you 
in May 2011. DHS and TSA deemed some of the information in the prior report as 
sensitive security information, which must be protected from public disclosure. 


^Biometrics refers to technologies that measure and analyze human body characteristics — 
such as fingerprints, eye retinas and irises, voice patterns, facial patterns, and hand measure- 
ments — for authentication purposes. 

®33 C.F.R. Part 105, for example, governs maritime facility security and sets forth general 
security requirements along with requirements for facility security assessments and facility se- 
curity plans, among other things. General maritime security requirements pertaining to vessels 
are set out in 33 C.F.R. Part 104. 

® A card is personalized when the card holder’s personal information, such as photograph and 
name, are added to the card. 

■'72 Fed. Reg. 3492 (2007); Extension of deadline to April 15, 2009 by 73 Fed. Reg. 25562 
(2008). 

®GAO, Transportation Worker Identification Credential: A Status Update, GAO-08— 1151T 
(Washington, D.C.: Sept. 17, 2008). 

®GAO-10-43. 

10 TWIC guidance provides that possession of a TWIC is required for an individual to be eligi- 
ble for unescorted access to secure areas of vessels and facilities. With the issuance of a TWIC, 
it is still the responsibility of facility and vessel owners to determine who should be granted 
access to their facilities or vessels. 

Prior to issuing a TWIC, each TWIC is activated, or turned on, after the person being issued 
the TWIC provides a personal identification number. 
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Therefore, this report omits sensitive information about the TWIC program, includ- 
ing techniques used to enroll and conduct a background check on individuals and 
assess an individual’s eligibility for a TWIC, and the technologies that support 
TWIC security threat assessment determinations and Coast Guard inspections. In 
addition, at TSA’s request, we have redacted data on specific enrollment center(s) 
and maritime ports where our investigators conducted covert testing. Although the 
information provided in this report is more limited in scope, it addresses the same 
questions and includes the same recommendations as the sensitive report. Also, the 
overall methodology used for both reports is the same. 

To assess the extent to which TWIC program processes were designed to provide 
reasonable assurance that unescorted access to secure areas of MTSA-regulated fa- 
cilities and vessels is limited to qualified individuals, we reviewed applicable laws, 
regulations, and policies. We also reviewed documentation provided by TSA on the 
TWIC program systems and processes, such as the TWIC User Manual for Trusted 
Agents, Statement of Objectives, and Concept of Operations. We further reviewed 
the processes and data sources with TWIC program management from TSA and 
Lockheed Martin (the contractor responsible for implementing the program). We 
also met with: (1) the Director of Vetting Operations at TSA’s Colorado Springs Op- 
erations Center (CSOC), where background checks for links to terrorism and con- 
tinual vetting of TWIC holders is to take place; (2) the Operations Manager for the 
Adjudication Center, where secondary background checks are to be conducted for ap- 
plicants with identified criminal or immigration issues; and (3) the Director at 
DHS’s Screening Coordination Office responsible for overseeing credentialing pro- 
grams across DHS. Additionally, we met with the Criminal Justice Information 
Services Division at the Federal Bureau of Investigation (FBI) to discuss criminal 
vetting processes and policies. We then evaluated the processes against the TWIC 
program’s mission needs and Standards for Internal Control in the Federal Govern- 
ments* As part of our assessment of TWIC program controls, we also did the fol- 
lowing: 

• We visited four TWIC enrollment and activation centers located in areas with 
high population density and near ports participating in the TWIC pilot to ob- 
serve how TWIC enrollments are conducted.'^® The results are not generalizable 
to all enrollment and activation centers; however, because all centers are to con- 
duct the same operations following the same guidance, the locations we visited 
provided us with an overview of the TWIC enrollment and activation/issuance 
processes. 

• We had our investigators conduct covert testing at enrollment center(s) oper- 
ating at the time to identify whether individuals providing fraudulent informa- 
tion could acquire an authentic TWIC. The information we obtained from the 
covert testing at enrollment center(s) is not generalizable across all TWIC en- 
rollment centers. However, because all enrollments are to be conducted fol- 
lowing the same established processes, we believe that the information from our 
covert tests provided us with important perspective on TWIC program enroll- 
ment and background checking processes, as well as potential challenges in 
verifying an individual’s identity. 

Further our investigators conducted covert testing at several selected maritime 
ports with MTSA-regulated facilities and vessels to identify security vulnerabilities 
and program control deficiencies. These locations were selected based on their geo- 
graphic location across the country (east coast, gulf coast, and west coast) and port 


See, for example, MTSA, Security and Accountability For Every Port Act (SAFE Port Act) 
of 2006 (Pub. L. No. 109—347, 120 Stat. 1884 (2006)) amendments to MTSA, Navigation and 
Vessel Inspection Circular Number 03-07: Guidance for the Implementation of the Transpor- 
tation Worker Identification Credential Program in the Maritime Sector (Washington, D.C.: July 
2, 2007), Coast Guard Policy Advisory Council (PAC) decisions, and Commandant Instruction 
M16601.01: Coast Guard Transportation Worker Identification Credential Verification and En- 
forcement Guide (Washin^on, D.C.: Oct. 10, 2008). 

12 To assess the reliability of data on the number of TWIC enrollments, the number of self- 
identified U.S. citizens or nationals asserting themselves to be born in the United States or in 
a U.S. territory, and the number of TWICs approved after the initial background check, we re- 
viewed program systems documentation and interviewed knowledgeable agency officials about 
the source of the data and the controls the TWIC program and systems had in place to maintain 
the integrity of the data. We determined that the data were sufficiently reliable for the purposes 
of our report. The data we reviewed were collected between October 2007 and December 2010. 

11 GAO, Standards for Internal Control in the Federal Government, GAO/AIMD-00— 21.3.1 
(Washington, D.C.: November 1999). 

15 We visited the Howland Hook enrollment center in Staten Island, New York, the Whitehall 
Ferry Terminal enrollment center in New York, New York, the Terminal Island enrollment cen- 
ter in San Pedro, California, and the Long Beach enrollment center in Long Beach, California. 
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size in terms of cargo volume. We also visited or met with officials at each of the 
seven original pilot sites being used to test TWIC card readers/® interviewed port 
security officials at two additional ports responsible for implementing TWIC at their 
port/'^ and met with nine maritime or transportation industry associations to ob- 
tain information on: (1) the use of TWIC as a flashpass and with biometric readers 
where they are in use, (2) experiences with TWIC card performance, and (3) any 
suspected or reported cases of TWIC card fraud. The information we obtained from 
the security officials at the 9 ports or pilot participants we visited is not generaliz- 
able across the maritime transportation industry as a whole, but collectively, the 
ports we visited accounted for 56 percent of maritime container trade in the United 
States, and the ports our investigators visited as part of our covert testing efforts 
accounted for 54 percent of maritime container trade in the United States in 2009. 
As such, we believe that the information from these interviews, site visits, and cov- 
ert tests provided us with important additional perspective and context on the 
TWIC program, as well as information about potential implementation challenges 
faced by MTSA-regulated facilities/vessels, transportation workers, and mariners. 

To assess the extent to which DHS has assessed the effectiveness of TWIC, and 
determine whether the Coast Guard has effective systems in place to measure com- 
pliance, we reviewed applicable laws, regulations, and policies. We also met with 
TWIC program officials from TSA and the Coast Guard, as well as Coast Guard offi- 
cials responsible for assessing maritime security risk, and reviewed related docu- 
ments, to identify how TWIC is to enhance maritime security.^® In addition, we met 
with Coast Guard TWIC program officials, data management staff, and Coast Guard 
officials stationed at four port areas across the United States with enforcement re- 
sponsibilities to assess the agency’s approach to enforcing compliance with TWIC 
regulations and measuring program effectiveness.®^ As part of this effort, we re- 
viewed the type and substance of management information available to the Coast 
Guard for assessing compliance with TWIC. In performing this work, we evaluated 
the Coast Guard’s practices against TWIC program mission needs and Standards 
for Internal Control in the Federal Government. 

We conducted this performance audit from November 2009 through March 2011 
in accordance with generally accepted government auditing standards. Those stand- 
ards require that we plan and perform the audit to obtain sufficient, appropriate 
evidence to provide a reasonable basis for our findings and conclusions based on our 
audit objectives. We believe that the evidence obtained provides a reasonable basis 
for our findings and conclusions based on our audit objectives. We conducted our 
related investigative work in accordance with standards prescribed by the Council 
of the Inspectors General on Integrity and Efficiency.®® 


We visited pilot participants at the Ports of Los Angeles, Long Beach, and Brownsville, and 
the Port Authority of New York and New Jersey. We also interviewed and or met with officials 
at vessel operations participating in the TWIC pilot, including the Staten Island Ferry in Staten 
Island, New York; Magnolia Marine Transports in Vicksburg, Mississippi; and Watermark 
Cruises in Annapolis, Maryland. 

We met with officials responsible for implementing TWIC at the Port of Baltimore and the 
Port of Houston. We selected the Port of Baltimore based on proximity to large population cen- 
ters and we selected the Port of Houston because it was using TWICs with readers. 

i®We interviewed representatives from the Association of the Bi-State Motor Carriers, the 
New Jersey Motor Truck Association, the Association of American Railroads, the American Pub- 
lic Transportation Association, the American Association of Port Authorities, the International 
Liquid Terminals Association, the International Longshore and Warehouse Union, the National 
Employment Law Project, and the Passenger Vessel Association. These organizations were se- 
lected because together they represent the key constituents of port operations. 

See, for example, MTSA, Security and Accountability For Every Port Act (SAFE Port Act) 
of 2006 (Pub. L. No. 109—347, 120 Stat. 1884 (2006)) amendments to MTSA, Navigation and 
Vessel Inspection Circular Number 03-07: Guidance for the Implementation of the Transpor- 
tation Worker Identification Credential Program in the Maritime Sector (Washington, D.C.: July 
2, 2007), Coast Guard Policy Advisory Council (PAC) decisions, and Commandant Instruction 
M16601.01: Coast Guard Transportation Worker Identification Credential Verification and En- 
forcement Guide (Washington, D.C.: Oct. 10, 2008). 

See, for example, the Coast Guard’s 2()08 Analysis of Transportation Worker Identification 
Credential (TWIC) Electronic Reader Requirements in the Maritime Sector, and the Homeland 
Security Institute’s 2008 Independent Verification and Validation of Development of Transpor- 
tation Worker Identification Credential (TWIC) Reader Requirements. 

We interviewed Coast Guard officials in New York and New Jersey; Los Angeles and Long 
Beach, California; Corpus Christi, Texas; and Baltimore, Maryland. We met with these Coast 
Guard officials because the facilities, vessels, and enrollment centers we visited are housed in 
these officials’ area(s) of responsibility. 

22 During the course of the audit, we provided briefings on the preliminary results of our work 
in May and October 2010. 
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Background 

TWIC History and Purpose 

In November 2001, the Aviation and Transportation Security Act (ATSA)^^ was 
enacted, requiring TSA to, among other things, work with airport operators to 
strengthen access control points to secured areas and to consider using biometric ac- 
cess control systems, or similar technologies, to verify the identity of individuals 
who seek to enter a secure airport area. In response to ATSA, TSA established the 
TWIC program in December 2001. In November 2002, MTSA was enacted and re- 
quired the Secretary of Homeland Security to issue a maritime worker identification 
card that uses biometrics to control access to secure areas of maritime transpor- 
tation facilities and vessels.^® In addition, the Security and Accountability For Every 
Port Act (SAFE Port Act) of 2006 amended MTSA and directed the Secretary of 
Homeland Security to, among other things, implement the TWIC pilot project to test 
TWIC use with biometric card readers and inform a future regulation on the use 
of TWIC with electronic readers. 

In requiring the issuance of transportation security cards for entry into secure 
areas of a facility or vessel as part of MTSA, Congress noted in the “Findings” sec- 
tion of the legislation that ports in the United States are a major location for Fed- 
eral crime such as cargo theft and smuggling, and are susceptible to large-scale acts 
of terrorism.^® For example, according to the Coast Guard’s January 2008 National 
Maritime Terrorism Threat Assessment, al Qaeda leaders and supporters have iden- 
tified western maritime assets as legitimate targets.^'^ Moreover, according to the 
Coast Guard assessment, al Qaeda-inspired operatives are most likely to use vehicle 
bombs to strike U.S. cargo vessels, tankers, and fixed coastal facilities such as ports. 
Studies have demonstrated that attacks on ports could have serious consequences. 
For example, a study by the Center for Risk and Economic Analysis of Terrorist 
Events on the impact of a dirty bomb attack on the Ports of Los Angeles and Long 
Beach estimated that the economic consequences from a shutdown of the harbors 
due to the contamination could result in significant losses in the tens of billions of 
dollars, including the decontamination costs and the indirect economic impacts due 
to the port shutdown.^® 

As defined by DHS, the purpose of the TWIC program is to design and field a 
common credential for all transportation workers across the United States who re- 
quire unescorted access to secure areas at MTSA-regulated maritime facilities and 
vessels.^® As such, the TWIC program, once implemented, aims to meet the fol- 
lowing stated mission needs: 

• Positively identify authorized individuals who require unescorted access to se- 
cure areas of the Nation’s transportation system. 

• Determine the eligibility of individuals to be authorized unescorted access to se- 
cure areas of the transportation system by conducting a security threat assess- 
ment. 

• Ensure that unauthorized individuals are not able to defeat or otherwise com- 
promise the access system in order to be granted permissions that have been 
assigned to an authorized individual. 

• Identify individuals who fail to maintain their eligibility requirements subse- 
quent to being permitted unescorted access to secure areas of the Nation’s 
transportation system and immediately revoke the individual’s permissions. 


23 Pub. L. No. 107-71, 115 Stat. 597 (2001). 

24 TSA was transferred from the Department of Transportation to DHS pursuant to require- 
ments in the Homeland Security Act, enacted on November 25, 2002 (Pub. L. No. 107—296, 116 
Stat. 2135, 2178 (2002)). 

23 Prior to TWIC, facilities and vessels administered their own approaches for controlling ac- 
cess based on the perceived risk at the facility. These approaches, among others, included re- 
quiring people seeking access to have a reason for entering, facility-specific identification, and 
in some cases, a background check. Some ports and port facilities still maintain their own cre- 
dentials. 

23Maritime Transportation Security Act of 2002 (Pub. L. No. 107-295,116 Stat. 2064 (2002)). 
The FBI estimates that in the United States, cargo crime amounts to $12 billion annually and 
finds that most cargo theft occurs in or near seaports. 

22 U.S. Coast Guard Intelligence Coordination Center, National Maritime Terrorism Threat 
Assessment (Washington, D.C.: Jan. 7, 2008). 

23 H. Rosoff and I), von Winterfeldt, “A Risk and Economic Analysis of Dirty Bomb Attacks 
on the Ports of Los Angeles and Long Beach,” Journal of Risk Analysis, vol. 27, no. 3 (2007). 
This research was supported by DHS through the Center for Risk and Economic Analysis of Ter- 
rorist Events by grant funding. 

29 This is defined in the TWIC System Security Plan and the DHS Budget Justification to 
Congress for Fiscal Years 2009 and 2010. 
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TWIC Program Processes for Ensuring TWIC-Holder Eligibility 

TSA is responsible for enrolling TWIC applicants and conducting background 
checks to ensure that only eligible individuals are granted TWICs.^*’ In addition, 
pursuant to TWIC-related regulations, MTSAregulated facility and vessel operators 
are responsible for reviewing each individual’s TWIC as part of their decision to 
grant unescorted access to secure areas of their facilities. The Coast Guard is re- 
sponsible for assessing and enforcing operator compliance with TWIC-related laws 
and regulations. Described below are key components of each process for ensuring 
TWIC-holder eligibility. 

Enrollment: Transportation workers are enrolled by providing biographic informa- 
tion, such as name, date of hirth, and address, and proof of identity documents, and 
then being photographed and fingerprinted at enrollment centers by trusted agents. 
A trusted agent is a member of the TWIC team who has been authorized by the 
Federal Government to enroll transportation workers in the TWIC program and 
issue TWIC cards. Appendix I summarizes key steps in the enrollment process. 

Background checking: TSA conducts background checks on each worker who ap- 
plies for a TWIC to ensure that individuals who enroll do not pose a security risk 
to the United States. A worker’s potential link to terrorism, criminal history, immi- 
gration status, and mental capacity are considered as part of the security threat as- 
sessment. Workers have the opportunity to appeal negative results of the threat as- 
sessment or request a waiver of certain specified criminal offenses, and immigration 
or mental capacity standards. Specifically, the TWIC background checking process 
includes two levels of review. 

First-level review: Initial automated background checking. The initial automated 
background checking process is conducted to determine whether any derogatory 
information is associated with the name and fingerprints submitted by an appli- 
cant during the enrollment process. This check is conducted against the FBI’s 
criminal history records. These records contain information from Federal and 
state and local sources in the FBI’s National Crime Information Center (NCIC) 
database and the FBI’s Integrated Automated Fingerprint Identification System 
(IAFIS)/Interstate Identification Index (III), which maintain criminal records 
and related fingerprint submissions. Rather than positively confirming each in- 
dividual’s identity using the submitted fingerprints, the FBI’s criminal history 
records check is a negative identification check, whereby the fingerprints are 
used to confirm that the associated individual is not on the FBI criminal history 
list. If an individual is identified as being on the FBI’s criminal history list, rel- 
evant information is to be forwarded to TSA for adjudication.^^ The check is 
also conducted against Federal terrorism information from the Terrorist Screen- 
ing Data base, including the Selectee and No-Fly Lists.^® To determine an appli- 
cant’s immigration/citizenship status and eligibility, TSA also runs applicant in- 
formation against the Systematic Alien Verification for Entitlements (SAVE) 
system. If the applicant is identified as a U.S.-born citizen with no related de- 
rogatory information, the system can approve the issuance of a TWIC with no 
further review of the applicant or human intervention. 


30 TWIC program threat assessment processes include conducting a background check to de- 
termine whether each TWIC applicant is a security risk to the United States. These checks, in 
general, can include checks for criminal history records, immigration status, terrorism databases 
and watchlists, and records indicating an adjudication of lack of mental capacity, among other 
things. TSA security threat assessment-related regulations define the term security threat to 
mean an individual whom TSA determines or suspects of posing a threat to national security; 
to transportation security; or of terrorism. 

Trusted agents are subcontractor staff acquired by Lockheed Martin as part of its support 
contract with TSA for the TWIC program. 

Not all TWIC applicants will have readable fingerprints. As we have previously reported, 
it is estimated that about 2 percent to 5 percent of people cannot be easily fingerprinted because 
their fingerprints have become dry or worn from age, extensive manual labor, or exposure to 
corrosive chemicals (See GAO, Technology Assessment: Using Biometrics for Border Security, 
GAO-03-174 (Washington, D.C.: Nov. 15, 2002). 

33 Pursuant to Homeland Security Presidential Directive 6, dated September 16, 2003, the 
Terrorist Screening Center — under the administration of the FBI — was established to develop 
and maintain the U.S. government’s consolidated terrorist screening database (the watch list) 
and to provide for the use of watch-list records during security-related screening processes. The 
Selectee List contains information on individuals who should receive enhanced screening {e.g., 
additional physical screening or a hand-search of carryon baggage) before proceeding through 
the security checkpoint at airports. The No Fly List contains information on individuals who 
should be precluded from boarding flights. The No Fly and Selectee lists contain applicable 
records from the FBI Terrorist Screening Center’s consolidated database of known or appro- 
priately suspected terrorists. 
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Second-level review: TSA’s Adjudication Center Review. A second-level review is 
conducted as part of an individual’s background check if: (1) the applicant has 
self-identified themselves to be a non-U.S. citizen or non-U.S.-born citizen or na- 
tional, or (2) the first-level review uncovers any derogatory information. As 
such, not all TWIC applicants will be subjected to a second-level review. The 
second-level review consists of staff at TSA’s adjudication center reviewing the 
applicant’s enrollment file.^’^ 

Card use and compliance: Once a TWIC has been activated and issued, the work- 
er may present his or her TWIC to security officials when he or she seeks 
unescorted access to a secure area. Currently, visual inspections of TWICs are re- 
quired for controlling access to secure areas of MTSAregulated facilities and ves- 
sels.^® Approaches for inspecting TWICs using biometric readers at individual facili- 
ties and vessels across the nation are being considered as part of a pilot but are 
not yet required. Pursuant to Coast Guard policy,®® Coast Guard inspectors are re- 
quired to verify TWIC cards during annual compliance exams, security spot checks, 
and in the course of other Coast Guard duties as determined by the Captain of the 
Port®'^ based on risk and resource availability. The Coast Guard’s primary means 
of verification is shifting toward the use of biometric handheld readers with the con- 
tinued deployment of readers to each of its Sectors and Marine Safety Units.®® As 
of December 21, 2010, the Coast Guard reports to have deployed biometric handheld 
readers to all of its 35 Sectors and 16 Marine Safety Units. 

TWIC Regulations and Cost 

In August 2006, DHS officials decided, based on industry comment, to implement 
TWIC through two separate regulations, or rules. The first rule, issued in January 
2007, directs the use of the TWIC as an identification credential, or flashpass. The 
second rule, the card reader rule, is currently under development and is expected 
to address how the access control technologies, such as biometric card readers, are 
to be used for confirming the identity of the TWIC holder against the biometric in- 
formation on the TWIC. On March 27, 2009, the Coast Guard issued an Advance 
Notice of Proposed Rule Making for the card reader rule.®® 

To inform the rulemaking process, TSA initiated a pilot in August 2008, known 
as the TWIC reader pilot, to test TWIC-related access control technologies."*® This 
pilot is intended to test the technology, business processes, and operational impacts 
of deploying TWIC readers at secure areas of the marine transportation system. As 
such, the pilot is expected to test the feasibility and functionality of using TWICs 


®*If an applicant has asserted him/herself to be a non-U.S. citizen or non-U.S. -bom citizen, 
TSA staff at the adjudication center are to positively identify the individual by confirming as- 
pects of the individual’s biographic information, inclusive of their alien registration number and 
other physical descriptors, against available databases. For those individuals, TSA requires that 
at least one of the documents provided as proof of identity demonstrates immigration status or 
United States citizenship. According to TWIC officials, the program is able to validate immigra- 
tion status and citizenship-related documents required of noncitizens and non-U.S. -born citi- 
zens — such as certificates of naturalization — with the originating source. For individuals with 
derogatory information, staff at the adjudication center reviews each applicant’s file to deter- 
mine if the derogatory information accurately applies to the individual or includes disqualifying 
information. 

Coast Guard regulations require that such an inspection include: (1) a match of the photo 
on the TWIC to the individual presenting the TWIC, (2) verification that the TWIC has not ex- 
pired, and (3) a visual check of the various security features present on the card to determine 
whether the TWIC has been tampered with or forged. 

®®See United States Coast Guard, Commandant Instruction Manual 16601.1: Coast Guard 
Transportation Worker Identification Credential (TWIC) Verification and Enforcement Guide 
(Washington, D.C.: Oct. 10, 2008). 

The Captain of the Port is the Coast Guard officer designated by the Commandant to en- 
force within his or her respective areas port safety and security and marine environmental pro- 
tection regulations, including, without limitation, regulations fbr the protection and security of 
vessels, harbors, and waterfront facilities. 

Coast Guard Sectors run all Coast Guard missions at the local and port levels, such as 
search and rescue, port security, environmental protection, and law enforcement in ports and 
surrounding waters, and oversee a number of smaller Coast Guard units, including small cutters 
and small-boat stations. 

39 74 Fed. Reg. 13360 (2009). An advanced notice of proposed rulemaking is published in the 
Federal Register and contains notices to the public of the proposed issuance of rules and regula- 
tions. The purpose of this advanced notice of proposed rulemaking was to encourage the discus- 
sion of potential TWIC reader requirements prior to the rulemaking process. 

*®The pilot initiation date is based on the first date of testing identified in the TWIC pilot 
schedule. This date is not inclusive of time taken for planning the pilot prior to the first test. 
The SAFE Port Act required the pilot to commence no later than 180 days after the date of 
enactment (Oct. 13, 2006) of the SAFE Port Act. See GAO-06— 982. 
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with biometric card readers within the maritime environment. After the pilot has 
concluded, a report on the findings of the pilot is expected to inform the develop- 
ment of the card reader rule. DHS currently estimates that a notice of proposed 
rulemaking will be issued late in calendar year 2011 and that the final rule will 
be promulgated no earlier than the end of calendar year 2012. 

According to agency officials, from Fiscal Years 2002 through 2010, the TWIC pro- 
gram had funding authority totaling $420 million. In issuing the credential rule, 
DHS estimated that implementing the TWIC program could cost the Federal Gov- 
ernment and the private sector a combined total of between $694.3 million and $3.2 
billion over a 10-year period. However, these figures did not include costs associated 
with implementing and operating readers.''^ Appendix H contains additional pro- 
gram funding details. 

Standards for Internal Control 

Standards for Internal Control in the Federal Government underscores the need 
for developing effective controls for meeting program objectives and complying with 
applicable regulations.'^^ Effective internal controls provide for an assessment of the 
risks the agency faces from both internal and external sources. Once risks have 
been identified, they should be analyzed for their possible effect. Management then 
has to decide upon the internal control activities required to mitigate those risks 
and achieve the objectives of efficient and effective operations. As part of this effort, 
management should design and implement internal controls based on the related 
cost and benefits. 

In addition, internal control standards highlight the need for the following: 

• capturing information needed to meet program objectives; 

• designing controls to assure that ongoing monitoring occurs in the course of nor- 
mal operations; 

• determining that relevant, reliable, and timely information is available for man- 
agement decisionmaking purposes; 

• conducting reviews and testing of development and modification activities be- 
fore placing systems into operation; 

• recording and communicating information to management and others within 
the entity who need it and in a form and within a time-frame that enables them 
to carry out their internal control and other responsibilities; and 

• designing internal controls to provide reasonable assurance that compliance 
with applicable laws and reflations is being achieved, and provide appropriate 
supervisory review of activities to help provide oversight of operations. This in- 
cludes designing and implementing appropriate supervisory review activities to 
help provide oversight and analyzing data to compare trends in actual perform- 
ance to expected results to identify any areas that may require further inquiries 
or corrective action. 

Internal control also serves as the first line of defense in safeguarding assets and 
preventing and detecting errors and fraud. An internal control weakness is a condi- 
tion within an internal control system worthy of attention. A weakness, therefore, 
may represent a perceived, potential, or real shortcoming, or an opportunity to 
strengthen internal controls to provide a greater likelihood that the entity’s objec- 
tives will be achieved. 

Internal Control Weaknesses in DHS’s Biometrie Transportation ID 
Program Hinder Efforts to Ensure Security Objectives Are Fully 
Achieved 

DHS has established a system of TWIC-related processes and controls. However, 
internal control weaknesses governing the enrollment, background checking, and 
use of TWIC potentially limit the program’s ability to provide reasonable assurance 
that access to secure areas of MTSA-regulated facilities is restricted to qualified in- 
dividuals. Specifically, internal controls in the enrollment and background check- 
ing processes are not designed to provide reasonable assurance that: (1) only quali- 
fied individuals can acquire TWICs; (2) adjudicators follow a process with clear cri- 


'^^See Transportation Worker Identification Credential (TWIC) Implementation in the Mari- 
time Sector; Final Rule, 72 Fed. Reg. 3492, 3571 (2007). 

'‘2 GAO/AIMD-00-21.3.1. 

^^^In accordance with Standards for Internal Control in the Federal Government, the design 
of the internal controls is to he informed by identified risks the program faces from both internal 
and external sources; the possible effect of those risks; control activities required to mitigate 
those risks; and the cost and benefits of mitigating those risks. 
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teria for applying discretionary authority when applicants are found to have exten- 
sive criminal convictions; or (3) once issued a TWIG, TWIG holders have maintained 
their eligibility. To meet the stated program mission needs, TSA designed TWIG 
program processes to facilitate the issuance of TWIGs to maritime workers. How- 
ever, TSA did not assess the internal controls designed and in place to determine 
whether they provided reasonable assurance that the program could meet defined 
mission needs for limiting access to only qualified individuals. Further, internal con- 
trol weaknesses in TWIG enrollment, background checking, and use could have con- 
tributed to the breach of selected MTSA-regulated facilities during covert tests con- 
ducted by our investigators. 

TWIC Program Controls Are Not Designed to Provide Reasonable Assurance That 
Only Qualified Applicants Can Acquire TWICs 

DHS has established a system of TWIG-related processes and controls that as of 
April 2011 has resulted in TWIGs being denied to 1,158 applicants based on a crimi- 
nal offense, criminal immigration offense, or invalid immigration status.''^ However, 
the TWIC program’s internal controls for positively identif 3 dng an applicant, arriv- 
ing at a security threat determination for that individual, and approving the 
issuance of a TWIG, are not designed to provide reasonable assurance that only 
qualified applicants can acquire TWIGs."*® Assuring the identity and qualifications 
of TWIC-holders are two of the primary benefits that the TWIC program is to pro- 
vide MTSA-regulated facility and vessel operators making access control decisions. 
If an individual presents an authentic TWIG acquired through fraudulent means 
when requesting access to the secure areas of a MTSA-regulated facility or vessel, 
the cardholder is deemed not to be a security threat to the maritime environment 
because the cardholder is presumed to have met TWIC-related qualifications during 
a background check. In such cases, these individuals could better position them- 
selves to inappropriately gain unescorted access to secure areas of a MTSAregulated 
facility or vessel.*® 

As confirmed by TWIG program officials, there are ways for an unqualified indi- 
vidual to acquire an authentic TWIG. According to TWIG program officials, to meet 
the stated program purpose, TSA’s focus in designing the TWIG program was on fa- 
cilitating the issuance of TWIGs to maritime workers. However, TSA did not assess 
internal controls prior to implementing the program. Further, prior to fielding the 
program, TSA did not conduct a risk assessment of the TWiG program to identify 
program risks and the need for controls to mitigate existing risks and weaknesses, 
as called for by internal control standards. Such an assessment could help provide 
reasonable assurance that control weaknesses in one area of the program do not un- 
dermine the reliability of other program areas or impede the program from meeting 
mission needs. TWIC program officials told us that control weaknesses were not ad- 
dressed prior to initiating the TWIC program because they had not previously iden- 
tified them, or because they would be too costly to address. However, officials did 
not provide documentation to support their cost concerns and told us that they did 
not complete an assessment that accounted for whether the program could achieve 
defined mission needs without implementing additional or compensating controls to 
mitigate existing risks, or the risks associated with not correcting for existing inter- 
nal control weaknesses. 

Our investigators conducted covert tests at enrollment center(s) to help test the 
rigor of the TWIG enrollment and background checking processes. The investigators 
fully complied with the enrollment application process. They were photographed and 
fingerprinted, and asserted themselves to be U.S.-born citizens."*^ The investigators 
were successful in obtaining authentic TWIG cards despite going through the back- 
ground-checking process. Not having internal controls designed to provide reason- 
able assurance that the applicant has: (1) been positively identified, and (2) met all 


‘‘“TSA further reports that as of April 2011 there have been 34,503 cases out of 1,841,122 
enrollments, or 1.9 percent of TWIC enrollments, where enrollees have not been approved for 
a TWIC because TSA has identified that the enrollees have at least one potentially disqualifying 
criminal offense, criminal immigration offense, or invalid immigration status, and the enrollee 
did not respond to an initial determination of threat assessment. Under the TWIC vetting proc- 
ess, an applicant that receives an initial determination of threat assessment is permitted to pro- 
vide additional information to respond to or challenge the determination, or to request a waiver 
for the disqualifying condition, and subsequently be granted a TWIC. 

*®For the purposes of this report, routinely is defined as a process being consistently applied 
in accordance with established procedure so as to render consistent results. 

*®The TWIC program requires individuals to both hold a TWIC and be authorized to be in 
the secure area by the owner/operator in order to gain unescorted access to secure areas of 
MTSA-regulated facilities and vessels. 

*'^The details related to the means used by the investors in the tests could not be detailed 
here because they were deemed sensitive security information by TSA. 
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TWIC eligibility requirements, including not posing a security threat to MTSA-regu- 
lated facilities and vessels, could have contributed to the investigators’ successes. 
Specifically, we identified internal control weaknesses in the following three areas 
related to ensuring that only qualified applicants are ahle to obtain a TWIC. 

Controls to identify the use of potentially counterfeit identity documents are not 
used to inform background checking processes. As part of TWIC program enrollment, 
a trusted agent is to review identity documents for authenticity and use an elec- 
tronic authentication device to assess the likelihood of the document being counter- 
feit."*^® According to TWIC program officials, the trusted agent’s review of TWIC ap- 
plicant identity documents and the assessment provided by the electronic authen- 
tication device are the two steps intended to serve as the primary controls for de- 
tecting whether an applicant is presenting counterfeit identity documents. Addition- 
ally, the electronic device used to assess the authenticity of identification credentials 
renders a score on the likelihood of the document being authentic and produces an 
assessment report in support of the score. Assessing whether the applicant’s creden- 
tial is authentic is one source of information for positively identifying an applicant. 
Our investigators provided counterfeit or fraudulently acquired documents, but they 
were not detected. 

However, the TWIC program’s background checking processes are not designed to 
routinely consider the results of controls in place for assessing whether an appli- 
cant’s identity documents are authentic. For example, assessments of document au- 
thenticity made by a trusted agent or the electronic document authentication device 
as part of the enrollment process are not considered as part of the first-level back- 
ground check. Moreover, TWIC program officials agree that this is a program weak- 
ness. As of December 1, 2010, approximately 60 percent of TWICs were approved 
after the first-level background check without undergoing further review."*® As an 
initial step toward addressing this weakness, and in response to our review, TWIC 
program officials told us that since April 17, 2010, the comments provided at enroll- 
ment by trusted agents have been sent to the Screening Gateway — a TSA system 
for aggregating threat assessment data. However, this change in procedure does not 
correct the internal control weaknesses we identified.®® Attempts to authenticate 
copies of documents are limited because it is not possible to capture all of the secu- 
rity features when copies of the identity documents are recorded, such as holograms 
or color-shifting ink. Using information on the authenticity of identity documents 
captured during enrollment to inform the background check could help TSA better 
assess the reliability and authenticity of such documents provided at enrollment. 

Controls related to the legal status of self-reported U.S.-born citizens or nation- 
als.^^ The TWIC program does not require that applicants claiming to be U.S.-born 
citizens or nationals provide identity documents that demonstrate proof of citizen- 
ship, or lawful status in the United States. See appendix III for the list of docu- 
ments U.S.-born citizens or nationals must select from and present when applying 
for a TWIC.®^ For example, an applicant could elect to provide one document, such 
a U.S. passport, which, according to TSA officials, serves as proof of U.S. citizenship 
or proof of nationality. However, an applicant could elect to submit documents that 
do not provide proof of citizenship. As of December 1, 2010, nearly 86 percent of ap- 


*®As designed, the TWIC program’s enrollment process relies on a trusted agent — a contract 
employee — to collect an applicant’s identification information. The trusted agent is provided 
basic training on how to detect a fraudulent document. The training, for example, consists of 
checking documents for the presence of a laminate that is not peeling, typeset that looks legiti- 
mate, and seals on certain types of documents. 

*®Of the 1,697,160 enrollments approved for a TWIC, 852,540 were approved using TSA’s 
automated process as part of the first-level background check without undergoing further re- 
view. 

Details from this section were removed because the agency deemed them sensitive security 
information. 

National means a citizen of the United States or a noncitizen owing permanent allegiance 
to the United States. In general, U.S. -born nationals who are not U.S. citizens at birth are indi- 
viduals born in an outlying possession of the United States. Details from this section were re- 
moved because the agency deemed them sensitive security information. 

®2Various identity documents can be provided by U.S. -born citizens or nationals when apply- 
ing for a TWIC. For certain documents, such as an unexpired U.S. passport, TSA requires one 
document as a proof of identity. For other documents, such as a Department of Transportation 
Medical Card or United States Military Dependents Identification Card, TSA requires that 
TWIC applicants provide two identity documents from a designated list, with one being a gov- 
ernment-issued photo identification. 
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proved TWIC enrollments were by self-identified United States citizens or nationals 
asserting that they were born in the United States or a United States territory.®^ 

Verifying a U.S.-born citizen’s identity and related lawful status can be costly and 
is a challenge faced by U.S. Government programs such as passports.®"* However, 
reaching an accurate determination of a TWIC applicant’s potential security threat 
in meeting TWIC mission needs is dependant on positively identifying the applicant. 
Given such potential cost constraints, consistent with internal control standards, 
identifying alternative mechanisms to positively identify individuals to the extent 
that the benefits exceed the costs and TWIC program mission needs are met could 
enhance TSA’s ability to positively identify individuals and reduce the likelihood 
that criminals or terrorists could acquire a TWIC fraudulently. 

Controls are not in place to determine whether an applicant has a need for a 
TWIC.^^ Regulations governing the TWIC program security threat assessments re- 
quire applicants to disclose their job description and location(s) where they will most 
likely require unescorted access, if known, and the name, telephone number, and 
address of the applicant’s current employer(s) if the applicant works for an employer 
that requires a TWIC.®® However, TSA enrollment processes do not require that this 
information be provided by applicants. For example, when applying for a TWIC, ap- 
plicants are to certify that they may need a TWIC as part of their employment du- 
ties. However, the enrollment process does not request information on the location 
where the applicant will most likely require unescorted access, and enrollment proc- 
esses include asking the applicant if they would like to provide employment infor- 
mation, but informing the applicant that employer information is not required. 

While not a problem prior to implementing the TWIC program, according to TSA 
officials, a primary reason for not requiring employer information be captured by ap- 
plicant processes is that many applicants do not have employers, and that many em- 
ployers will not accept employment applications from workers who do not already 
have a TWIC. However, TSA could not provide statistics on: (1) how many individ- 
uals applying for TWICs were unemployed at the time of their application; or (2) 
a reason why the TWIC-related regulation does not prohibit employers from denying 
employment to non-TWIC holders who did not previously have a need for a TWIC. 
Further, according to TSA and Coast Guard officials, industry was opposed to hav- 
ing employment information verified as part of the application process, as industry 
representatives believed such checks would be too invasive and time-consuming. 
TSA officials further told us that confirming this information would be too costly. 

We recognize that implementing mechanisms to capture this information could be 
time-consuming and involve additional costs. However, collecting information on 
present employers or operators of MTSA-regulated facilities and vessels to be 
accessed by the applicant, to the extent that the benefits exceed the costs and TWIC 
program mission needs are met, could help ensure TWIC program mission needs are 
being met, and serve as a barrier to individuals attempting to acquire an authentic 
TWIC through fraudulent means. Therefore, if TSA determines that implementing 
such mechanisms are, in fact, cost prohibitive, identifying and implementing appro- 
priate compensating controls could better position TSA to positively identify the 


®3As of December 1, 2010, TSA reported that 1,697,160 TWIC enrollments have been ap- 
proved, of which 1,457,337 were self-identified United States citizens or nationals asserting that 
they were born in the United States or in a United States territory. 

®*See GAO, State Department: Significant Vulnerabilities in the Passport Issuance Process, 
GAO-09— 681T (Washington, D.C.: May 5, 2009) and State Department: Improvements Needed 
to Strengthen U.S. Passport Fraud Detection Efforts, GAO-05^77 (Washington, D.C.: May 20, 
2005). 

55 TWIC is unlike other federally-sponsored access control credentials, such as the Department 
of Defense’s Common Access Card — the agencywide standard identification card — for which 
sponsorship by an employer is required. For these Federal credentialing programs, employer 
sponsorship begins with the premise that an individual is known to need certain access as part 
of their employment. Further, the employing agency is to conduct a background investigation 
on the individual and has access to other personal information, such as prior employers, places 
of residency, and education, which they may confirm as part of the employment process and use 
to establish the individual’s identity. 

Implementing regulations at 49 C.F.R. § 1572.17 require that when applying for or renewing 
a TWIC, the applicant provide, among other information: (1) the reason that the applicant re- 
quires a TWIC, including, as applicable, the applicant’s job description and the primary facility, 
vessel, or maritime port location(s) where the applicant will most likely require unescorted ac- 
cess, if known; (2) the name, telephone number, and address of the applicant’s current em- 
ployer(s) if the applicant works for an employer that requires a TWIC; and (3) if the applicant 
works for an employer that does not require possession of a TWIC, does not have a single em- 
ployer, or is self-employed, the primary vessel or port location(s) where the applicant requires 
unescorted access, if known. The regulation states that this information is required to establish 
eligibility for a TWIC and that TSA is to review the applicant information as part of the intel- 
ligence-related check. 
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TWIC applicant. Not taking any action increases the risk that individuals could 
gain unescorted access to secure areas of MTSAregulated facilities and vessels. 

As of Septemher 2010, TSA’s background checking process had identified no in- 
stances of nonimmigration-related document or identity fraud. This is in part be- 
cause of previously discussed weaknesses in TWIC program controls for positively 
identifying applicants, and the systems and procedures the TWIC program relies on 
not being designed to effectively monitor for such occurrences, in accordance with 
internal control standards. Though not an exhaustive list, through a review of Coast 
Guard reports and publicly available court records, we identified five court cases 
where the court documents indicate that illegal immigrants acquired, or in one of 
the cases sought to acquire, an authentic TWIC through fraudulent activity such as 
providing fraudulent identity information and, in at least one of the cases and po- 
tentially up to four, used the TWIC to access secure areas of MTSA-regulated facili- 
ties. Four of these cases were a result of, or involved. United States Immigration 
and Customs Enforcement efforts after individuals had acquired, or sought to ac- 
quire, a TWIC. As of September 2010, the program’s background checking process 
identified 18 instances of potential fraud out of the approximately 1,676,000 TWIC 
enrollments. These instances all involved some type of fraud related to immigra- 
tion.®'^ The 18 instances of potential fraud were identified because the 18 individuals 
asserted themselves to be non-U.S.- born applicants and, unlike processes in place 
for individuals asserting to be U.S.-born citizens, TSA’s background checking proc- 
ess includes additional controls to validate such individuals’ identities. For example, 
TSA requires that at least one of the documents provided by such individuals at en- 
rollment show proof of their legal status and seeks to validate each non-U.S.-born 
applicant’s identity with the U.S. Citizenship and Immigration Services. 

Internal control standards highlight the need for capturing information needed to 
meet program objectives; ensuring that relevant, reliable, and timely information is 
available for management decisionmaking purposes; and providing reasonable as- 
surance that compliance with applicable laws and regulations is being achieved.®® 
Conducting a control assessment of the TWIC program’s processes to address exist- 
ing weaknesses could enhance the TWIC program’s ability to prevent and detect 
fraud and positively identify TWIC applicants. Such an assessment could better po- 
sition DHS in strengthening the program to ensure it achieves its objectives in con- 
trolling access to MTSA-regulated facilities and vessels. 

TWIC Program Controls Are Not Designed to Require Adjudicators to Follow a 
Process with Clear Criteria for Applying Discretionary Authority When 
Applieants Are Found to Have Extensive Criminal Convictions 

Being convicted of a felony does not automatically disqualify a person from being 
eligible to receive a TWIC; however, prior convictions for certain crimes are auto- 
matically disqualifying. Threat assessment processes for the TWIC program include 
conducting background checks to determine whether each TWIC applicant poses a 
security threat.®® Some of these offenses, such as espionage or treason, would per- 
manently disqualify an individual from obtaining a TWIC. Other offenses, such as 
murder or the unlawful possession of an explosive device, while categorized as per- 
manent disqualifiers, are also eligible for a waiver under TSA regulations and might 
not permanently disqualify an individual from obtaining a TWIC if TSA determines 
upon subsequent review that an applicant does not represent a security threat.®® 
Table 1 presents examples of disqualifying criminal offenses set out in statute and 
implementing regulations for consideration as part of the adjudication process. 


®'^According to TSA, as of September 8, 2010, a total of 18 TWIC applicants were issued an 
Initial Determination of Threat Assessment for invalid immigration documents. Upon submis- 
sion to the U.S. Citizenship and Immigration Services, the documentation was reported to be 
altered or counterfeit. Of these 18 instances, only 1 applicant submitted additional documenta- 
tion following an Initial Determination of Threat Assessment to challenge TSA’s determination. 
The single applicant was subsequently awarded a TWIC. 

GAO/AIMD-00-21.3.1. 

These checks, in general, can include checks for criminal history records, immigration sta- 
tus, terrorism databases and watchlists, and records indicating an adjudication of a lack of men- 
tal capacity, among other things. As defined in TSA implementing regulations, the term security 
threat means an individual whom TSA determines or suspects of posing a threat to national 
security; to transportation security; or of terrorism. 49 C.F.R. § 1570.3. 

These permanent disqualifying offenses for which no waiver can be issued include espio- 
nage, sedition, treason, a Federal crime of terrorism, or conspiracy to commit any of these of- 
fenses. 
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Table 1. — Examples of Disqualifying Offenses for TWIC Eligibilify 

Permanent 
disqualifying 
offenses “ 

Permanent disqualifying offenses 
that can be waived 

Interim disqualifying 
offenses ^ 

Espionage 

Sedition 

Treason 

A federal crime of 
terrorism 

Murder 

Unlawful possession, use, sale, distribution, manufac- 
ture, purchase, receipt, transfer, shipping, trans- 
porting, import, export, storage of, or dealing in an 
explosive or explosive device 

A crime involving a transportation security incident 
Making any threat concerning the deliverance, place- 
ment, or detonation of an explosive or other lethal de- 
vice in or against a place of pubhc use, a state or gov- 
ernment facility, a public transportation system, or 
an infrastructure facility 

Bribery 

Smuggling 

Arson 

Extortion 

Robbery 


Source: GAO analysis of regulations and TSA. 

Notes: See appendix IV for a list of all disqualifying offenses. 

“Permanent disqualifying offenses are offenses defined in 49 C.F.R. 1572.103(a) for which no waiver can be granted under 49 
C.F.R. 1515.7(a)(i). 

'’Permanent disqualifying offenses that can be waived are offenses defined in 49 C.F.R. 1572.103(a) for which a waiver can be 
granted in accordance with 49 C.F.R. 1515.7(a)(i). Applicants with certain permanent criminal offenses and all interim disqualifying 
criminal offenses may request a waiver of their disqualification. TSA regulations provide that in determining whether to grant a 
waiver, TSA will consider: (1) the circumstances of the disqualifying act or offense; (2) restitution made by me applicant; (3) any 
Federal or state mitigation remedies; (4) court records or official medical release documents indicating that the applicant no longer 
lacks mental capacity; and (5) other factors that indicate the applicant does not pose a security threat warranting denial of a haz- 
ardous materials endorsement or TWIC. 

‘^Interim disqualifying offenses are offenses defined in 49 C.F.R. 1572.103(b) for which the applicant has either been: (1) convicted, 
or found not guilty by reason of insanity, within a 7-year period preceding the TWIC application, or (2) incarcerated for within a 5- 
year period preceding the TWIC application. 

TSA also has the authority to add to or modify the list of interim disqualifying 
crimes. Further, in determining whether an applicant poses a security threat, TSA 
officials stated that adjudicators have the discretion to consider the totality of an 
individual’s criminal record, including criminal offenses not defined as a permanent 
or interim disqualifying criminal offenses, such as theft or larceny.®^ More specifi- 
cally, TSA’s implementing regulations provide, in part, that with respect to threat 
assessments, TSA may determine that an applicant poses a security threat if the 
search conducted reveals extensive foreign or domestic criminal convictions, a con- 
viction for a serious crime not listed as a permanent or interim disqualifying of- 
fense, or a period of foreign or domestic imprisonment that exceeds 365 consecutive 
days. Thus, if a person was convicted of multiple crimes, even if each of the crimes 
were not in and of themselves disqualifying, the number and type of convictions 
could be disqualifying. 

Although TSA has the discretion and authority to consider criminal offenses not 
defined as a disqualifying offense, such as larceny and theft, and periods of impris- 
onment, TSA has not developed a definition for what extensive foreign or domestic 
criminal convictions means, or developed guidance to ensure that adjudicators apply 
this authority consistently in assessing the totality of an individual’s criminal 
record. For example, TSA has not developed guidance or benchmarks for adjudica- 
tors to consistently apply when reviewing TWIC applicants with extensive criminal 
convictions but no disqualif 3 dng offense. This is particularly important given TSA’s 
reasoning for including this authority in TWICrelated regulation. Specifically, TSA 
noted that it understands that the flexibility this language provides must be used 
cautiously and on the basis of compelling information that can withstand judicial 
review. They further noted that the decision to determine whether an applicant 
poses a threat under this authority is largely a subjective judgment based on many 
facts and circumstances. 

While TSA does not track metrics on the number of TWICs provided to applicants 
with specific criminal offenses not defined as disqualifying offenses, as of September 
8, 2010, the agency reported 460,786 cases where the applicant was approved, but 
had a criminal record based on the results from the FBI. This represents approxi- 
mately 27 percent of individuals approved for a TWIC at the time. In each of these 
cases, the applicant had either a criminal offense not defined as a disqualifying of- 
fense or an interim disqualifying offense that was no longer a disqualification based 
on conviction date or the applicant’s release date from incarceration. Consequently, 
based on TSA’s background checking procedures, all of these cases would have been 
reviewed by an adjudicator for consideration as part of the second-level background 


®^The U.S. government’s Adjudicative Desk Reference, used in adjudicating security clear- 
ances, states that multiple criminal offenses indicate intentional continuing behavior that raises 
serious questions about a person’s trustworthiness and judgment. 
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check because derogatory information had been identified. As such, each of these 
cases had to be examined and a judgment had to be made as to whether to deny 
an applicant a TWIC based on the totality of the offenses contained in each appli- 
cant’s criminal report. 

While there were 460,786 cases where the applicant was approved, but had a 
criminal record, TSA reports to have taken steps to deny 1 TWIC applicant under 
this authority. However, in the absence of guidance for the application of this au- 
thority, it is not clear how TSA applied this authority in approving the 460,786 ap- 
plications and denying the 1. Internal control standards call for controls and other 
significant events to be clearly documented in directives, policies, or manuals to help 
ensure operations are carried out as intended. 

According to TSA officials, the agency has not implemented guidance for adjudica- 
tors to follow on how to apply this discretion in a consistent manner because they 
are confident that the adjudicators would, based on their own judgment, identify all 
applicants where the authority to deny a TWIC based on the totality of all offenses 
should be applied. However, in the absence of criteria, we were unable to analyze 
or compare how the approximately 30 adjudicators who are assigned to the TWIC 
program at any given time made determinations about TWIC applicants with exten- 
sive criminal histories. Given that 27 percent of TWIC holders have been convicted 
of at least one nondisqualifying offense, defining what extensive criminal convictions 
means and developing guidance or criteria for how adjudicators should apply this 
discretionary authority could help provide TSA with reasonable assurance that ap- 
plications are consistently adjudicated. Defining terms and developing guidance is 
consistent with internal control standards. 

TWIC Program Controls Are Not Designed to Provide Reasonable Assurance That 
TWIC Holders Have Maintained Their Eligibility Once Issued TWICs 

DHS’s defined mission needs for TWIC include identifying individuals who fail to 
maintain their eligibility requirements once issued a TWIC, and immediately revok- 
ing the individual’s card privileges. Pursuant to TWICrelated regulations, an indi- 
vidual may be disqualified from holding a TWIC and be required to surrender the 
TWIC to TSA for failing to meet certain eligibility criteria related to, for example, 
terrorism, crime, and immigration status. However, weaknesses exist in the design 
of the TWIC program’s internal controls for identif 3 dng individuals who fail to main- 
tain their eligibility that make it difficult for TSA to provide reasonable assurance 
that TWIC holders continue to meet all eligibility requirements. 

Controls are not designed to determine whether TWIC holders have committed dis- 
qualifying crimes at the Federal or state level after being granted a TWIC. TSA con- 
ducts a name-based check of TWIC holders against Federal wants and warrants 
on an ongoing basis. According to FBI and TSA officials, policy and statutory provi- 
sions hamper the program from running the broader FBI fingerprint-based check 
using the fingerprints collected at enrollment on an ongoing basis. More specifically, 
because the TWIC background check is considered to be for a noncriminal justice 
purpose,®^ to conduct an additional fingerprint-based check as part of an ongoing 
TWIC background check, TSA would have to collect a new set of fingerprints from 
the TWIC-holder,®'' if the prints are more than 1 year old, and submit those prints 
to the FBI each time they want to assess the TWIC-holder’s criminal history. Ac- 
cording to TSA officials, it would be cost prohibitive to run the fingerprint-based 
check on an ongoing basis, as TSA would have to pay the FBI $17.25 per check. 

Although existing policies may hamper TSA’s ability to check FBI-held finger- 
print-based criminal history records for the TWIC program, TSA has not explored 
alternatives for addressing this weakness, such as informing facility and port opera- 
tors of this weakness and identifying solutions for leveraging existing state criminal 
history information, where available. For instance, state maritime organizations 
may have other mechanisms at their disposal for helping to identify TWIC-holders 


Federal wants generally consist of information on wanted persons, or individuals, for whom 
Federal warrants are outstanding. 

Under the National Crime Prevention and Privacy Compact Act of 1998 (Pub. L. No. 105- 
251, 112 Stat. 1870, 1874 (1998) (codified as amended at 42 U.S.C. §§ 14601-14616)), which es- 
tablished an infrastructure by which states and other specified parties can exchange criminal 
records for noncriminal justice purposes authorized under Federal or state law, the term non- 
criminal justice purposes means uses of criminal history records for purposes authorized by Fed- 
eral or state law other than purposes relating to criminal justice activities, including employ- 
ment suitability, licensing determinations, immigration and naturalization matters, and na- 
tional security clearances. 

Under the 1998 Act, subject fingerprints or other approved forms of positive identification 
must be submitted with all requests for criminal history record checks for noncriminal justice 
purposes. 
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who may no longer meet TWIC qualification requirements. Specifically, laws gov- 
erning the maritime environment in New York and New Jersey provide for 
credentialing authorities being notified if licensed or registered longshoremen have 
been arrested. Further, other governing entities, such as the State of Florida and 
the Alabama State Port Authority, have access to state-based criminal records 
checks. While TSA may not have direct access to criminal history records, TSA could 
compensate for this control weakness, for example, by leveraging existing mecha- 
nisms available to maritime stakeholders across the country to better ensure that 
only qualified individuals retain TWICs. 

Controls are not designed to provide reasonable assurance that TWIC holders con- 
tinue to meet immigration status eligibility requirements. If a TWIC holder’s stated 
period of legal presence in the United States is about to expire or has expired, the 
TWIC program does not request or require proof from TWIC holders to show that 
they continue to maintain legal presence in the United States. Additionally, al- 
though they have the regulatory authority to do so, the program does not issue 
TWICs for a term less than 5 years to match the expiration of a visa. Instead, TSA 
relies on: (1) TWIC holders to self-report if they no longer have legal presence in 
the country, and (2) employers to report if a worker is no longer legally present in 
the country.®® As we have previously reported, government programs for granting 
benefits to individuals face challenges in confirming an individual’s immigration sta- 
tus.®® TWIC program officials stated that the program uses a United States Citizen- 
ship and Immigration Services system during the background checking process prior 
to issuing a TWIC as a method for confirming the legal status of non-U.S. citizens.®^ 
TSA has not, however, consistent with internal control standards, implemented al- 
ternative controls to compensate for this limitation and provide reasonable assur- 
ance that TWIC holders remain eligible. For instance, the TWIC program has not 
compensated for this limitation by: (1) using its authority to issue TWICs with 
shorter expiration dates to correspond with each individual’s legal presence, or (2) 
updating the TWIC system to systematically suspend TWIC privileges for individ- 
uals who no longer meet immigration eligibility requirements until they can provide 
evidence of continued legal presence.®® 

TWIC program officials stated that implementing these compensating measures 
would be too costly, but they have not conducted an assessment to identify the costs 
of implementing these controls, or determined if the benefits of mitigating related 
security risks would outweigh those costs, consistent with internal control stand- 
ards. Not implementing such measures could result in a continued risk of individ- 
uals no longer meeting TWIC legal presence requirements continuing to hold a fed- 
erally issued identity document and gaining unescorted access to secure areas of 
MTSAregulated facilities and vessels.®® Thus, implementing compensating meas- 
ures, to the extent that the benefits outweigh the costs and meet the program’s de- 
fined mission needs, could provide TSA, the Coast Guard, and MTSA-regulated 


65 TWIC-related regulations provide, for example, that individuals disqualified from holding 
a TWIC for immigration status reasons must surrender the TWIC to TSA. In addition, the regu- 
lations provide that TWICs are deemed to have expired when the status of certain lawful non- 
immigrants with a restricted authorization to work in the United States ie.g., H-lBl Free Trade 
Agreement) expires, the employer terminates the employment relationship with such an appli- 
cant, or such applicant otherwise ceases working for the employer, regardless of the date on the 
face of the TWIC. Upon the expiration of such nonimmigrant status for an individual who has 
a restricted authorization to work in the United States, the employer and employee hoth have 
related responsihilities — the employee is required to surrender the TWIC to the employer, and 
the employer is required to retrieve the TWIC and provide it to TSA. According to TSA officials, 
the TWIC program could not provide a count of the total number of TWIC holders whose em- 
ployers reported that the TWIC holders no longer have legal status, as they do not track this 
information. 

®®See, for example, GAO, EmploymentVerification: Federal Agencies Have Taken Steps to Im- 
prove E-Verify, but Significant Challenges Remain, GAO— 11-146 (Washington, D.C.: Dec. 17, 
2010), and Immigration Enforcement: Weaknesses Hinder Employment Verification and Worksite 
Enforcement Efforts, GAO— 05-813 (Washington, D.C.: Aug. 31, 2005). 

Details from this section were removed because the agency deemed them sensitive security 
information. 

®®The TWIC program accepts various documents, such as visas, Interim Employment Author- 
izations, and form 1—94 Arrival and Departure Records, as evidence of legal presence in the 
United States. 

69 TWIC is a federally issued identity document that can be used as proof of identity for non- 
maritime activities, such as boarding airplanes at United States airports and certain Depart- 
ment of Defense facilities in accordance with Department of Defense policy, Directive-Type 
Memorandum (DTM) 09—012, “Interim Policy Guidance for DOD Physical Access Control,” dated 
December 8, 2009. 



37 


stakeholders with reasonable assurance that each TWIC holder continues to meet 
TWIC-related eligibility requirements. 

Internal Control Weaknesses in TWIC Enrollment, Background Checking, and Use 
Could Have Contributed to Breach of MTSA-Regulated Ports 

As of January 7, 2011, the Coast Guard reports that it has identified 11 known 
attempts to circumvent TWIC requirements for gaining unescorted access to MTSA- 
regulated areas by presenting counterfeit TWICs. The Coast Guard further reports 
to have identified 4 instances of individuals presenting another person’s TWIC as 
their own in attempts to gain access. Further, our investigators conducted covert 
tests to assess the use of TWIC as a means for controlling access to secure areas 
of MTSA-regulated facilities. During covert tests of TWIC at several selected ports, 
our investigators were successful in accessing ports using counterfeit TWICs, au- 
thentic TWICs acquired through fraudulent means, and false business cases (i.e., 
reasons for requesting access).^° Our investigators did not gain unescorted access 
to a port where a secondary port specific identification was required in addition to 
the TWIC. 

In response to our covert tests, TSA and Coast Guard officials stated that, while 
a TWIC card is required for gaining unescorted access to secure areas of a MTSA- 
regulated facility, the card alone is not sufficient. These officials stated that the 
cardholder is also required to present a business case, which security officials at fa- 
cilities must consider as part of granting the individual access. In addition, accord- 
ing to DHS’s Screening Coordination Office, a credential is only one layer of a multi- 
layer process to increase security. Other layers of security might include onsite law 
enforcement, security personnel, cameras, locked doors and windows, alarm sys- 
tems, gates, and turnstiles. Thus, a weakness in the implementation of TWIC will 
not guarantee access to the secure areas of a MTSA-regulated port or facility. 

However, as our covert tests demonstrated, having an authentic TWIC and a le- 
gitimate business case were not always required in practice. The investigators’ pos- 
session of TWIC cards provided them with the appearance of legitimacy and facili- 
tated their unescorted entry into secure areas of MTSA-regulated facilities and ports 
at multiple locations across the country. If individuals are able to acquire authentic 
TWICs fraudulently, verifying the authenticity of these cards with a biometric read- 
er will not reduce the risk of undesired individuals gaining unescorted access to the 
secure areas of MTSA-regulated facilities and vessels. 

Given existing internal control weaknesses, conducting a control assessment of 
the TWIC program’s processes to address existing weaknesses could enhance the 
TWIC program’s ability to prevent and detect fraud and positively identify TWIC 
applicants. Such an assessment could better position DHS in stren^hening the pro- 
gram to ensure it achieves its objectives in controlling unescorted access to MTSA- 
regulated facilities and vessels. It could also help DHS identify and implement the 
minimum controls needed to: (1) positively identify individuals, (2) provide reason- 
able assurance that control weaknesses in one area of the program would not under- 
mine the reliability of other program areas or impede the program from meeting 
mission needs, and (3) provide reasonable assurance that the threat assessments 
are based on complete and accurate information. Such actions would be consistent 
with internal control standards, which highlight the need for capturing information 
needed to meet program objectives; determining that relevant, reliable, and timely 
information is available for management decision-making purposes; and designing 
internal controls to provide reasonable assurance that compliance with applicable 
laws and regulations is being achieved, as part of implementing effective controls. 
Moreover, our prior work on internal controls has shown that management should 
design and implement internal controls based on the related costs and benefits and 
continually assess and evaluate its internal controls to assure that the controls 
being used are effective and updated when necessary.'^i 


Existing vulnerabilities with TWIC to date have included, for example, problems with dete- 
riorating TWIC card security features. Cards fading and delaminating have been reported by 
stakeholders across the country from places such as New York, Virginia, Texas, and California, 
with a range of climate conditions. According to stakeholders, these problems make it difficult 
for security guards to distinguish an authentic TWIC that is faded from a fraudulent TWIC. 
TSA and the Coast Guard have also received reports of problems with the card’s chip or antenna 
connection not working from locations where TWICs are being used with readers. The total 
number of damaged TWICs with a damaged chip or antenna is unknown because TWICs are 
not required to be used with readers. 

” GAO/AIMD-00-21.3.1. 
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TWIC’s Effectiveness at Enhancing Security Has Not BeenAssessed, and the 
Coast Guard Lacks the Ability to Assess Trends in TWIG Compliance 

The TWIC program is intended to improve maritime security by using a federally 
sponsored credential to enhance access controls to secure areas at MTSA-regulated 
facilities and vessels, but DHS has not assessed the program’s effectiveness at en- 
hancing security. In addition, Coast Guard’s approach for monitoring and enforcing 
TWIC compliance nationwide could be improved by enhancing its collection and as- 
sessment of related maritime security information. For example, the Coast Guard 
tracks TWIC program compliance, but the processes involved in the collection, cata- 
loguing, and querying of information cannot be relied on to produce the manage- 
ment information needed to assess trends in compliance with the TWIC program or 
associated vulnerabilities. 

TWIC Has Not Been Assessed to Measure Effectiveness at Enhancing Security 

DHS asserted in its 2009 and 2010 budget submissions that the absence of the 
TWIC program would leave America’s critical maritime port facilities vulnerable to 
terrorist activities.^^ However, to date, DHS has not assessed the effectiveness of 
TWIC at enhancing security or reducing risk for MTSA-regulated facilities and ves- 
sels. Such assessments are consistent with DHS’s National Infrastructure Protection 
Plan, which recognizes that metrics and other evaluation procedures should be used 
to measure progress and assess the effectiveness of programs designed to protect 
key assets.^® Further, DHS has not demonstrated that TWIC, as currently imple- 
mented and planned with readers, is more effective than prior approaches used to 
limit access to ports and facilities, such as using facility specific identity credentials 
with business cases. According to TSA and Coast Guard officials, because the pro- 
gram was mandated by Congress as part of MTSA, DHS did not conduct a risk as- 
sessment to identify and mitigate program risks prior to implementation. Further, 
according to these officials, neither the Coast Guard nor TSA analyzed the potential 
effectiveness of TWIC in reducing or mitigating security risk — either before or after 
implementation — because they were not required to do so by Congress. Rather, DHS 
assumed that the TWIC program’s enrollment and background checking procedures 
were effective and would not allow unqualified individuals to acquire and retain au- 
thentic TWICs. 

The internal control weaknesses that we discuss earlier in the report, as well as 
the results of our covert tests of TWIC use, raise questions about the effectiveness 
of the TWIC program. According to the Coast Guard official responsible for con- 
ducting assessments of maritime risk, it may now be possible to assess TWIC effec- 
tiveness and the extent to which, or if, TWIC use could enhance security using cur- 
rent Maritime Security Risk Analysis Model (MSRAM) data. Since MSRAM’s de- 
ployment in 2005, the Coast Guard has used its MSRAM to help inform decisions 
on how to best secure our nation’s ports and how to best allocate limited resources 
to reduce terrorist risks in the maritime environment.'^’^ Moreover, as we have pre- 
viously reported. Congress also needs information on whether and in what respects 
a program is working well or poorly to support its oversight of agencies and their 
budgets, and agencies’ stakeholders need performance information to accurately 


"^^See DHS, DHS Exhibit 300 Public Release BYIO/TSA — Transportation Worker Identifica- 
tion Credentialing (TWIC) (Washington, D.C.: Apr. 17, 2009) and DHS Exhibit 300 Public Re- 
lease BY09/TSA — Transportation Worker Identification Credentialing (TWIC) (Washington, 
D.C.: July 27, 2007). 

"^^DHS, National Infrastructure Protection Plan: Partnering to Enhance Protection and Resil- 
iency (Washington, D.C.: 2009). The NIPP, first issued in June 2006 by DHS, established a six- 
step risk management framework to establish national priorities, goals, and requirements for 
Critical Infrastructure and Key Resources (CIKR) protection so that Federal funding and re- 
sources are applied in the most effective manner to deter threats, reduce vulnerabilities, and 
minimize the consequences of attacks and other incidents. The NIPP states that comprehensive 
risk assessments are necessary for determining which assets or systems face the highest risk, 
for prioritizing risk mitigation efforts and the allocation of resources, and for effectively meas- 
uring how security programs reduce risks. 

'^’^The Coast Guard uses MSRAM to assess risk for various types of vessels and port infra- 
structure in accordance with the guidance on assessing risk from DHS’s National Infrastructure 
Protection Plan (NIPP). The Coast Guard uses the analysis tool to help implement its strategy 
and concentrate maritime security activities when and where relative risk is believed to be the 
greatest. The model assesses the risk — threats, vulnerabilities, and consequences — of a terrorist 
attack based on different scenarios; that is, it combines potential targets with different means 
of attack, as recommended by the risk assessment aspect of the NIPP. Also in accordance with 
the NIPP, the model is designed to support decisionmaking for the Coast Guard. At the national 
level, the model’s results are used, among other things, for identifying capabilities needed to 
combat future terrorist threats. 
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judge program effectiveness^® Conducting an effectiveness assessment that evalu- 
ates whether use of TWIC in its present form and planned use with readers would 
enhance the posture of security beyond efforts already in place given costs and pro- 
gram risks could better position DHS and policymakers in determining the impact 
of TWIC on enhancing maritime security. 

Further, pursuant to Executive Branch requirements, prior to issuing a new regu- 
lation, agencies are to conduct a regulatory analysis, which is to include an assess- 
ment of costs, benefits, and associated risks. Prior to issuing the regulation on im- 
plementing the use of TWIC as a flashpass, DHS conducted a regulatory analysis, 
which asserted that TWIC would increase security. The analysis included an evalua- 
tion of the costs and benefits related to implementing TWIC. However, DHS did not 
conduct a risk-informed cost-benefit analysis that considered existing security risks. 
For example, the analysis did not account for the costs and security risks associated 
with designing program controls to prevent an individual from acquiring an authen- 
tic TWIC using a fraudulent identity and limiting access to secure areas of MTSA- 
regulated facilities and vessels to those with a legitimate need, in accordance with 
stated mission needs. As a proposed regulation on the use of TWIC with biometric 
card readers is under development, DHS is to issue a new regulatory analysis. Con- 
ducting a regulatory analysis using the information from the internal control and 
effectiveness assessments as the basis for evaluating the costs, benefits, security 
risks, and needed corrective actions could better inform and enhance the reliability 
of the new regulatory analysis. Moreover, these actions could help DHS identify and 
assess the full costs and benefits of implementing the TWIC program in a manner 
that will meet stated mission needs and mitigate existing security risks, and help 
ensure that the TWIC program is more effective and cost-efficient than existing 
measures or alternatives at enhancing maritime security. 

Coast Guard’s Approach for Monitoring and Enforcing TWIC Compliance Could Be 
Improved by Enhancing Its Collection and Assessment of Maritime Security 
Information 

Internal control standards state that: (1) internal controls should be designed to 
ensure that ongoing monitoring occurs in the course of normal operations, and (2) 
information should be communicated in a form and within a time-frame that en- 
ables management to carry out its internal control responsibilities.^'^ Further, our 
prior work has stated that Congress also needs information on whether and in what 
respects a program is working well or poorly to support its oversight of agencies and 
their budgets, and agencies’ stakeholders need performance information to accu- 
rately judge program effectiveness.'^® The Coast Guard uses its Marine Information 
for Safety and Law Enforcement (MISLE) database to meet these needs by record- 
ing activities related to MTSA-regulated facility and vessel oversight, including ob- 
servations of TWIC-related deficiencies.'^® The purpose of MISLE is to provide the 
capability to collect, maintain, and retrieve information necessary for the adminis- 
tration, management, and documentation of Coast Guard activities. In February 
2008, we reported that flaws in the data in MISLE limit the Coast Guard’s ability 
to accurately portray and appropriately target oversight activities.®® 


"^^GAO, Executive Guide: Effectively Implementing the Government Performance and Results 
Act, GAO/GGD-96-118 (Washington, D.C.: June 1996). 

Office of Management and Budget, Circular A-4, Regulatory Analysis (Revised Sept. 17, 
2003) provides guidance to Federal agencies on the development of regulatory analysis as re- 
quired by Executive Order 12866 of September 30, 1993, as amended by Executive Order 13258 
of February 26, 2002, and Executive Order 13422 of January 18, 2007, “Regulatory Planning 
and Review.” According to Executive Order 12866, agencies should adhere to certain specified 
principles, such as: (1) with respect to setting regulatory priorities, each agency shall consider, 
to the extent reasonable, the degree and nature of the risks posed by various substances or ac- 
tivities within its jurisdiction, and (2) each agency shall base its decisions on the best reasonably 
obtainable scientific, technical, economic, and other information concerning the need for, and 
consequences of, the intended regulation. According to Circular A-^, a regulatory analysis 
should include the following three basic elements: (1) a statement of the need for the proposed 
action, (2) an examination of alternative approaches, and (3) an evaluation of the benefits and 
costs — quantitative and qualitative — of the proposed action and the main alternatives identified 
by the action. The evaluation of benefits and costs is to be informed by a risk assessment. 

''■'See GAO/AIMD-00-21.3.1. 

''«See GAO/GGD-96-118. 

MISLE began operating in December 2001 and is the Coast Guard’s primary data system 
for documenting facility oversight and other activities. 

80 We recommended that, among other things, the Coast Guard assess MISLE compliance 
data, including the completeness of the data, data entry, consistency, and data field problems, 
and make any changes needed to more effectively use MISLE data. DHS concurred with this 

Continued 
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In accordance with Coast Guard policy, Coast Guard inspectors are required to 
verify TWIC cards during annual compliance exams and security spot checks, and 
may do so in the course of other Coast Guard duties. As part of each inspection. 
Coast Guard inspectors are, among other things, to: (1) ensure that the card is au- 
thentic by examining it to visually verify that it has not been tampered with; (2) 
verify identity by comparing the photograph on the card with the TWIC holder to 
ensure a match; (3) check the card’s physical security features; and (4) ensure the 
TWIC is valid — a check of the card’s expiration date. Additionally, Coast Guard in- 
spectors are to assess the proficiency of facility and vessel security personnel in com- 
plying with TWIC requirements through various means including oral examination, 
actual observation, and record review. Coast Guard inspectors randomly select 
workers to check their TWICs during inspections. The number of TWIC cards 
checked is left to the discretion of the inspectors. 

As of December 17, 2010, according to Coast Guard data, 2,135 facilities have un- 
dergone at least 2 MTSA inspections as part of annual compliance exams and spot 
checks. In reviewing the Coast Guard’s records of TWICrelated enforcement actions, 
we found that, in addition to verifying the number of inspections conducted, the 
Coast Guard is generally positioned to verify that TWIC cards are being checked 
by Coast Guard inspectors and, of the card checks that are recorded, the number 
of cardholders who are compliant and noncompliant. For instance, the Coast Guard 
reported inspecting 129,464 TWIC holders’ cards from May 2009 through January 
6, 2011. The Coast Guard reported that 124,203 of the TWIC holders, or 96 percent, 
were found to be compliant — possessed a valid TWIC.®^ However, according to Coast 
Guard officials, local Coast Guard inspectors may not always or consistently record 
all inspection attempts. Consequently, while Coast Guard officials told us that in- 
spectors verify TWICs as part of all security inspections, the Coast Guard could not 
reliably provide the number of TWICs checked during each inspection. 

Since the national compliance deadline in April 2009 requiring TWIC use at 
MTSA-regulated facilities and vessels, the Coast Guard has not identified major 
concerns with TWIC implementation nationally. However, while the Coast Guard 
uses MISLE to track program compliance, because of limitations in the MISLE sys- 
tem design, the processes involved in the collection, cataloguing, and querying of in- 
formation cannot be relied upon to produce the management information needed to 
assess trends in compliance with the TWIC program or associated vulnerabilities. 
For instance, when inspectors document a TWIC card verification check, the system 
is set up to record the number of TWICs reviewed for different types of workers and 
whether the TWIC holders are compliant or noncompliant. However, other details 
on TWIC-related deficiencies, such as failure to ensure that all facility personnel 
with security duties are familiar with all relevant aspects of the TWIC program and 
how to carry them out, are not recorded in the system in a form that allows inspec- 
tors or other Coast Guard officials to easily and systematically identify that a defi- 
ciency was related to TWIC. For example, from January 2009 through December 
2010, the Coast Guard reported issuing 145 enforcement actions as a result of an- 
nual compliance exams or security spot checks at the 2,135 facilities that have un- 
dergone the inspections.®^ These included 57 letters of warning, 40 notices of viola- 
tion, 32 civil penalties, and 16 operations controls (suspension or restriction of oper- 
ations). However, it would be labor-intensive for the Coast Guard to identify how 
many of the 57 letters of warning or 40 notices of violation were TWIC related, ac- 
cording to a Coast Guard official responsible for TWIC compliance, because there 
is not an existing query designed to extract this information from the system. Some- 
one would have to manually review each of the 97 inspection reports in the database 
indicating either a letter of warning or a notice of violation to verify whether or not 
the deficiencies were TWIC related. As such, the MISLE system is not designed to 


recommendation. The Coast Guard acknowledged the need for improvement in MISLE compli- 
ance data and has taken initial steps to reduce some of the database concerns identified in our 
previous work. However, as of January 2011, the recommendation has not been fully addressed. 
See GAO, Maritime Security: Coast Guard Inspections Identify and Correct Facility Deficiencies, 
but More Analysis Needed of Program’s Staffing, Practices, and Data, GAO— 08-12 {Washington, 
D.C.: Feb. 14, 2008). 

These numbers represent a combination of visual and electronic verifications because the 
TWIC verification window in MISLE is not currently designed to capture whether cards are 
verified visually or electronically. According to Coast Guard officials, with the recent deployment 
of handheld readers to Coast Guard units, the Coast Guard is in the process of enhancing 
MISLE to include the ability to distinguish between the number of visual inspections of cards 
and the number of verifications conducted using the handheld readers. 

According to the Coast Guard, 2,509 facilities are subject to MTSA and must actively imple- 
ment TWIC provisions. 
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readily provide information that could help management measure and assess the 
overall level of compliance with the TWIC program or existing vulnerabilities. 

According to a Coast Guard official responsible for TWIC compliance, Coast Guard 
headquarters staff has not conducted a trend analysis of the deficiencies found dur- 
ing reviews and inspections and there are no other analyses they planned to conduct 
regarding enforcement until after readers are required to be used. According to the 
Coast Guard, it can generally identify the number of TWICs checked and recorded 
in the MISLE system. However, it cannot perform trend analysis of the deficiencies 
as it would like to do, as it requires additional information. In the interim, as of 
January 7, 2011, the Coast Guard reported deplo 3 dng 164 handheld biometric read- 
ers nationally to units responsible for conducting inspections. These handheld 
readers are intended to be the Coast Guard’s primary means of TWIC verification. 
During inspections. Coast Guard inspectors use the card readers to electronically 
check TWiCs in three ways: (1) verification — a biometric one-to-one match of the fin- 
gerprint; (2) authentication — electronically confirming that the certificates on the 
credential are authentic; and (3) validation — electronically check the card against 
the “hotlist” of invalid or revoked cards. The Coast Guard believes that the use of 
these readers during inspections will greatly improve the effectiveness of enforce- 
ment efforts and enhance record keeping through the use of the readers’ logs. 

As a result of limitations in MISLE design and the collection and recording of in- 
spection data, it will be difficult for the Coast Guard to identify trends nationwide 
in TWIC-related compliance, such as whether particular types of facilities or a par- 
ticular region of the country have OTeater levels of noncompliance, on an ongoing 
basis. Coast Guard officials acknowledged these deficiencies and reported that they 
are in the process of making enhancements to the MISLE database and plan to dis- 
tribute updated guidance on how to collect and input information into MISLE to the 
Captains of the Port. However, as of January 2011, the Coast Guard had not yet 
set a date for implementing these changes. Further, while this is a good first step, 
these enhancements do not address weaknesses related to the collection process and 
querying of MISLE information so as to facilitate the Coast Guard performing trend 
analysis of the deficiencies as part of its compliance reviews. By designing and im- 
plementing a cost-effective and practical method for collecting, cataloging, and 
querying TWIC-related compliance information, the Coast Guard could be better po- 
sitioned to identify and assess TWIC-related compliance and enforcement trends, 
and to obtain management information needed to assess and understand existing 
vulnerabilities with the use of TWIC. 

Conclusions 

As the TWIC program continues on the path to full implementation — with poten- 
tially billions of dollars needed to install TWIC card readers in thousands of the Na- 
tion’s ports, facilities, and vessels at stake — it is important that Congress, program 
officials, and maritime industry stakeholders fully understand the program’s poten- 
tial benefits and vulnerabilities, as well as the likely costs of addressing these po- 
tential vulnerabilities. Identified internal control weaknesses and vulnerabilities in- 
clude weaknesses in controls related to preventing and detecting identity fraud, as- 
sessing the security threat that individuals with extensive criminal histories pose 
prior to issuing a TWIC, and ensuring that TWIC holders continue to meet program 
eligibility requirements. Thus, conducting an internal control assessment of the pro- 
gram by analyzing controls, identifying related weaknesses and risks, and deter- 
mining cost-effective actions to correct or compensate for these weaknesses could 
better position DHS to provide reasonable assurance that control weaknesses do not 
impede the program from meeting mission needs. 

In addition, conducting an effectiveness assessment could help provide reasonable 
assurance that the use of TWIC enhances the posture of security beyond efforts al- 
ready in place or identify the extent to which TWIC may possibly introduce security 
vulnerabilities because of the way it has been designed and implemented. This as- 
sessment, along with the internal controls assessment, could be used to enhance the 
regulatory analysis to be conducted as part of implementing a regulation on the use 
of TWIC with readers. More specifically, considering identified security risks and 
needed corrective actions as part of the regulatory analysis could provide insights 
on the full costs and benefits of implementing the TWIC program in a manner that 
will meet stated mission needs and mitigate existing security risks. This is impor- 
tant because, unlike prior access control approaches which allowed access to a spe- 
cific facility, the TWIC potentially facilitates access to thousands of facilities once 
the Federal Government attests that the TWIC holder has been positively identified 


®3The Coast Guard estimated a need for 300 handheld biometric readers, based on an esti- 
mate of 5 readers for each of the Coast Guard’s major field inspections units across the country. 
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and is deemed not to be a security threat. Further, doing so as part of the regu- 
latory analysis could better assure DHS, Congress, and maritime stakeholders that 
TWIC program security objectives will be met. Finally, by designing and imple- 
menting a cost-effective and practical method for collecting, cataloging, and querying 
TWIC-related compliance information, the Coast Guard could be better positioned 
to identify trends and to obtain management information needed to assess and un- 
derstand existing vulnerabilities with the use of TWIC. 

Recommendations for Executive Action 

To identify effective and cost-efficient methods for meeting TWIC program objec- 
tives, and assist in determining whether the benefits of continuing to implement 
and operate the TWIC program in its present form and planned use with readers 
surpass the costs, we recommend that the Secretary of Homeland Security take the 
following four actions: 

• Perform an internal control assessment of the TWIC program by: (1) analyzing 
existing controls, (2) identifying related weaknesses and risks, and (3) deter- 
mining cost-effective actions needed to correct or compensate for those weak- 
nesses so that reasonable assurance of meeting TWIC program objectives can 
be achieved. This assessment should consider weaknesses we identified in this 
report among other things, and include: 

• strengthening the TWIC program’s controls for preventing and detecting iden- 
tity fraud, such as requiring certain biographic information from applicants 
and confirming the information to the extent needed to positively identify the 
individual, or implementing alternative mechanisms to positively identify in- 
dividuals; 

• defining the term extensive criminal history for use in the adjudication proc- 
ess and ensuring that adjudicators follow a clearly defined and consistently 
applied process, with clear criteria, in considering the approval or denial of 
a TWIC for individuals with extensive criminal convictions not defined as per- 
manent or interim disqualifying offenses; and 

• identifying mechanisms for detecting whether TWIC holders continue to meet 
TWIC disqualifying criminal offense and immigration-related eligibility re- 
quirements after TWIC issuance to prevent unqualified individuals from re- 
taining and using authentic TWICs. 

• Conduct an effectiveness assessment that includes addressing internal control 
weaknesses and, at a minimum, evaluates whether use of TWIC in its present 
form and planned use with readers would enhance the posture of security be- 
yond efforts already in place given costs and program risks. 

• Use the information from the internal control and effectiveness assessments as 
the basis for evaluating the costs, benefits, security risks, and corrective actions 
needed to implement the TWIC program in a manner that will meet stated mis- 
sion needs and mitigate existing security risks as part of conducting the regu- 
latory analysis on implementing a new regulation on the use of TWIC with bio- 
metric card readers. 

• Direct the Commandant of the Coast Guard to design effective methods for col- 
lecting, cataloguing, and querying TWIC-related compliance issues to provide 
the Coast Guard with the enforcement information needed to assess trends in 
compliance with the TWIC program and identify associated vulnerabilities. 

Agency Comments and Our Evaluation 

We provided a draft of the sensitive version of this report to the Secretary of 
Homeland Security for review and comment on March 18, 2011. DHS provided writ- 
ten comments on behalf of the Department, the Transportation Security Administra- 
tion, and the United States Coast Guard, which are reprinted in full in appendix 
IV. In commenting on our report, DHS stated that it concurred with our four rec- 
ommendations and identified actions planned or under way to implement them. 

While DHS did not take issue with the results of our work, DHS did provide new 
details in its response that merit additional discussion. First, DHS noted that it is 
working to strengthen controls around applicant identity verification in TWIC, but 
that document fraud is a vulnerability to credential-issuance programs across the 
Federal Government, state and local governments, and the private sector. DHS fur- 
ther noted that a governmentwide infrastructure does not exist for information 
sharing across all entities that issue documents that other programs, such as TWIC, 
use to positively authenticate an individual’s identity. We acknowledge that such a 
government-wide infrastructure does not exist, and, as discussed in our report, rec- 
ognize that there are inherent weaknesses in relying on identity documents alone 
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to confirm an individual’s identity. However, positively identif 3 dng individuals — or 
confirming their identity — and determining their eligibility for a TWIC is a key stat- 
ed program goal. Issuing TWICs to individuals without positively identifying them 
and subsequently assuring their eligibility could, counter to the program’s intent, 
create a security vulnerability. While we recognize that additional costs could be im- 
posed by requiring positive identification checks, taking actions to strengthen the 
existing identity authentication process, such as only accepting documents that TSA 
can and does confirm to be authentic with the issuing agency, and verifying an ap- 
plicant’s business need, could enhance TWIC program efforts to prevent and detect 
identity fraud and enhance maritime security. 

Second, DHS stated that it is working to continually verify TWIC-holder eligibility 
after issuance but also noted the limitations in the current process. While TSA does 
receive some criminal history records information when it sends fingerprints to the 
FBI, the information is not provided recurrently, nor is the information necessarily 
complete. DHS stated that to provide the most robust recurrent vetting against 
criminal records, TSA would need access to additional state and Federal systems, 
and have additional authority to do so. As we reported, FBI and TWIC officials stat- 
ed that because the TWIC background check is considered to be for a noncriminal 
justice purpose, policy and statutory provisions hamper the program from running 
the broader FBI fingerprint-based check using the fingerprints collected at enroll- 
ment on an ongoing basis. However, we continue to believe that TSA could com- 
pensate for this weakness by leveraging existing mechanisms available to maritime 
stakeholders. For example, other governing entities — such as the Alabama State 
Port Authority — that have an interest in ensuring the security of the maritime envi- 
ronment, might be willing to establish a mechanism for independently sharing rel- 
evant information when warranted. Absent efforts to leverage available information 
sources, TSA may not be successful in tempering existing limitations. 

Lastly, DHS sought clarification on the reporting of our investigators’ success at 
breaching security at ports during covert testing. Specifically, in its comments, DHS 
noted that it believes that our report’s focus on access to port areas rather than ac- 
cess to individual facilities can be misleading. DHS noted that we do not report on 
the number of facilities that our investigators attempted to gain access to within 
each port area. DHS stated that presenting the breaches in terms of the number 
of port areas breached rather than the number of facilities paints a more trouble- 
some picture of the actual breaches that occurred. We understand DHS’s concern 
but continue to believe that the results of our investigators’ work, as reported, fairly 
and accurately represents the results and significance of the work conducted. The 
goal of the covert testing was to assess whether or not weaknesses exist at ports 
with varying characteristics across the nation, not to define the pervasiveness of ex- 
isting weaknesses by type of facility, volume, or other characteristic. Given the nu- 
merous differences across facilities and the lack of publicly available information 
and related statistics for each of the approximately 2,509 MTSA-regulated facilities, 
we identified covert testing at the port level to be the proper unit of analysis for 
our review and reporting purposes. Conducting a detailed assessment of the perva- 
siveness of existing weaknesses by type of facility, volume, or other characteristics 
as suggested by DHS would be a more appropriate tasking for the Coast Guard as 
part of its continuing effort to ensure compliance with TWIC-related regulations. 

In addition, with regard to covert testing, DHS further commented that the report 
does not distinguish among breaches in security using a counterfeit TWIC or an au- 
thentic TWIC card obtained with fraudulent documents. DHS noted that because 
there is no “granularity” with the report as to when a specific card was used, one 
can be left with the unsupported impression that individual facilities in all cases 
were failing to implement TWIC visual inspection requirements. For the above 
noted reason, we did not report on the results of covert testing at the facility level. 
However, our records show that use of counterfeit TWICs was successful for gaining 
access to more than one port where our investigators breached security. Our inves- 
tigators further report that security officers never questioned the authenticity of 
TWICs presented for acquiring access. Our records show that operations at the loca- 
tions our investigators breached included cargo, containers, and fuel, among others. 

In addition, TSA provided written technical comments, which we incorporated into 
the report, as appropriate. 

We are sending copies of this report to the Secretary of Homeland Security, the 
Assistant Secretary for the Transportation Security Administration, the Com- 
mandant of the United States Coast Guard, and appropriate congressional commit- 
tees. In addition, this report is available at no charge on the GAO website at http:! / 
www.gao.gov. 
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If you or your staff have any questions about this report, please contact me. 

Stephen M. Lord 

Director, Homeland Security and Justice Issues 
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Appendk I: Key Steps in the TWIC Enrollment Process 

Transportation workers are enrolled by providing biographic information, such as 
name, date of birth, and address, and proof of identity documents, and then photo- 
graphed and fingerprinted at 1 of approximately 149 enrollment centers by trusted 
agents. A trusted agent is a member of the TWIC team who has been authorized 
by the Federal Government to enroll transportation workers in the TWIC program 
and issue TWIC cards. Trusted agents are subcontractor staff acquired by Lockheed 
Martin as part of its support contract with TSA for the TWIC program. Table 2 
below summarizes key steps in the enrollment process. 
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Table 2. — TWIC Enrollment Process Summary 


1. The TWIC applicant fills out a TWIC Application and Disclosure Form and affirms that the infor- 
mation he or she is providing to TSA is truthful. 

2. The applicant is required to present documentation to establish his or her identity to the trusted 
agent at the enrollment center. The documentation required is dependant upon the applicant’s legal 
presence in the United States or whether the applicant was born in the United States. 

3. The trusted agent (government contractor) captures the applicant’s biographic information, such as 
name and date of birth, in the TWIC system. This can be done in various ways, such as by scan- 
ning fingerprints and certain identity documents or by manually typing information into the sys- 
tem. 

4. The trusted agent reviews the identity documents to establish and confirm the applicant’s identity 
and to confirm the documents’ authenticity by reviewing the physical security features on the docu- 
ments. 

5. The trusted agent scans the identity documents to record a digital image of the applicant’s identity 
information. 

6. The trusted agent uses a machine-readable document scanning device to assess the risk of certain 
documents being fraudulent. Not all documents can be assessed using this device. 

7. The applicant’s 10 fingerprints (where available) are captured in the system. The presence of non- 
suitable fingerprints or lack of a finger for biometric use is documented in the system by the trust- 
ed agent. 

8. The applicant’s digital picture is taken. 

9. The enrollment record is completed, encrypted, and is forwarded by the trusted agent to undergo 
the TWIC program’s background checking procedures. 

Source: GAO analysis of the TWIC program enrollment process and documentation. 


Appendix II: TWIC Program Funding 

According to TSA and Federal Emergency Management Agency (FEMA) program 
officials, from Fiscal Year 2002 through 2010, the TWIC program had funding au- 
thority totaling $420 million. Through Fiscal Year 2009, $111.5 million in appro- 
priated funds, including reprogramming and adjustments, had been provided to 
TWIC (see table 3 below). An additional $196.8 million in funding was authorized 
from Fiscal Years 2008 through 2010 through the collection of TWiC enrollment fees 
by TSA, and $111.7 million had been made available to maritime facilities imple- 
menting TWIC from FEMA grant programs — the Port Security Grant Program and 
the Transit Security Grant Program — from Eiscal Years 2006 through 2010. In addi- 
tion, industry has spent between approximately $185.7 million and $234 million to 
purchase 1,765,110 TWICs as of January 6, 2011. The costs for implementing the 
TWIC program, as estimated by TSA for informing the regulation on requiring the 
use of TWIC as an identification credential, is from $694.3 million to $3.2 billion 
over a 10-year period. This estimate includes the costs related to purchasing TWICs 
and visually inspecting them. However, this estimate does not include the costs re- 
lated to implementing TWIC with biometric card readers or related access control 
systems.^ 



Table 3. 

— TWIC Program Funding from Fiscal Years 2002 through 2010 

Dollars in millions 


Fiscal 

year 

Appropriated 

Reprogramming 

Adjustments 

TWIC fee 
authority ® 

Federal security 
grant awards 
related to TWIC’ 

Total funding 
authority 

2002 

0 

0 

0 

0 

0 

0 

2003 

$5.0 

0 

$20 

0 

0 

$25.0 

2004 

$49.7 

0 

0 

0 

0 

$49.7 

2005 

$5.0 

0 

0 

0 

0 

$5.0 

2006 

0 

$15.0 

0 

0 

$24.3 

$39.3 

2007 

0 

$4.0 

$4.7 

0 

$31.5*^ 

$40.2 


^ Range based on a reduced fee of $105.25 per TWIC for workers with current, comparable 
background checks or a $132.50 fee per TWIC for those without. 

2 See Transportation Worker Identification Credential (TWIC) Implementation in the Mari- 
time Sector; Final Rule, 72 Fed. Reg. 3492, 3571 (2007). 
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Table 3. — TWIG Program Funding from Fiscal Years 2002 through 2010 — Continued 

Dollars in millions 


Fiscal 

year 

Appropriated 

Reprogramming 

Adjustments 

TWIG fee 
authority “ 

Federal security 
grant awards 
related to TWIG 

Total funding 
authority 

2008 

$8.1 

0 

0 

$42.5 

$18.0 

$68.6 

2009 

0 

0 

0 

$109.3 

$22.2^ 

$131.5 

2010 

0 

0 

0 

$45.0 

$15.7 

$60.7 

Total 

$67.8 

$19.0 

$24.7 

$196.8 

$111.7 

$420 


Source: GAO analysis of TWIG program funding reported by TSA and FEMA. 

“Figures in the TWIG fee authority column represent the doUar amount TSA is authorized to collect from TWIG enrollment fees 
and not the actual dollars collected. TSA reports to have collected $41.7 million for Fiscal Year 2008, $76.2 million for Fiscal Year 
2009, and $30.6 million for Fiscal Year 2010. 

'’According to FEMA, many of these awards are issued as cooperative agreements and, as such, the scope and amounts may 
change as the project(s> proceed. Also, FEMA has not received projects from aU grant recipients so the total number of projects 
may increase slightly over time. 

‘^Federal security grant funding subtotal for Fiscal Year 2007 includes $19.2 million in Fiscal Year Port Security Grant Program 
funding, $10.8 million in supplemental funding, and $1.5 million in Transit Security Grant Program funding. 

Federal security grant funding subtotal for Fiscal Year 2009 includes $3.9 million in Fiscal Year Port Security Grant Program 
funding and an additional $18.3 million in American Recovery and Reinvestment Act of 2009 (Pub. L. No. 111-5, 123 Stat. 115 
(2009)) funding. 


Appendix III: List of Documents U.S.-Born Citizens or Nationals Must Select 
FROM TO Present When Applying for a TWIC 

TWIC applicants who are citizens of the United States (or its outlying posses- 
sions) and were born inside the United States (or its outlying possessions), must 
provide one document from list A or two documents from list B. If two documents 
from list B are presented, at least one of them must be a government-issued photo 
identification, such as a state-issued driver’s license, military ID card, or state iden- 
tification card. 

List A 

• Unexpired United States passport book or passport card 

• Unexpired Merchant Mariner Document 

• Unexpired Free and Secure Trade Card ^ 

• Unexpired NEXUS Card^ 

• Unexpired Secure Electronic Network for Travelers Rapid Inspection Card 

List B 

• Unexpired driver’s license issued by a state or outlying possession of the United 
States 

• Unexpired identification card issued by a state or outl3dng possession of the 
United States. Must include a state or state agency seal or logo (such as state 
port authority identification or state university identification) 

• Original or certified copy of birth certificate issued by a state, county, municipal 
authority, or outlying possession of the United States bearing an official seal 

• Voter’s registration card 

• United States military identification card or United States retired military iden- 
tification 

• United States military dependent’s card 

• Expired United States passport (within 12 months of expiration) 

• Native American tribal document (with photo) 

• United States Social Security card 

• United States military discharge papers (DD-214) 

• Department of Transportation medical card 


^The Free and Secure Trade (FAST) Card is to be issued to approved commercial drivers to 
facilitate the travel of low-risk screened shipments across the borders between the U.S. -Cana- 
dian border and to the U.S. from Mexico. 

“The NEXUS card can be used as an alternative to the passport for air, land, and sea travel 
into the United States for U.S. and Canadian citizens. The NEXUS program allows prescreened 
travelers expedited processing by United States and Canadian officials at dedicated processing 
lanes at designated northern border ports of entry, at NEXUS kiosks at Canadian Preclearance 
airports, and at marine reporting locations. 
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• United States civil marriage certificate 

• Unexpired Merchant Mariner License bearing an official raised seal, or a cer- 
tified copy 

• Unexpired Department of Homeland SecurityATransportation Security Adminis- 
tration Transportation Worker Identification Credential Card 

• Unexpired Merchant Mariner Credential 


Appendix IV: Criminal Offenses That May Disqualify Applicants from 
Acquiring a TWIC 

Listed below are criminal offenses that can prevent TWIC applicants from being 
issued a TWIC. Pursuant to TSA implementing regulations, permanent disquali- 
fying offenses are offenses defined in 49 C.F.R. 1572.103(a). Permanent disquali- 
fying offenses that can be waived are those offenses defined in 49 C.F.R. 1572.103(a) 
for which a waiver can be granted in accordance with 49 C.F.R. 1515.7(a)(i). Interim 
disqualifying offenses are offenses defined in 49 C.F.R. 1572.103(b) for which the ap- 
plicant has either been: (1) convicted, or found not guilty by reason of insanity, with- 
in a 7-year period preceding the TWIC application, or (2) incarcerated for within a 
5-year period preceding the TWIC application. Applicants with certain permanent 
criminal offenses and all interim disqualifying criminal offenses may request a 
waiver of their disqualification. In general, TSA may issue such a waiver and grant 
a TWIC if TSA determines that an applicant does not pose a security threat based 
upon the security threat assessment. 

Permanent disqualifying criminal offenses for which no waiver may be granted. 

1. Espionage, or conspiracy to commit espionage. 

2. Sedition, or conspiracy to commit sedition. 

3. Treason, or conspiracy to commit treason. 

4. A Federal crime of terrorism as defined in 18 U.S.C. 2332b(g), or comparable 
state law, or conspiracy to commit such crime. 

Permanent disqualifying criminal offenses for which a waiver may be granted. 

1. A crime involving a transportation security incident. A transportation secu- 
rity incident is a security incident resulting in a significant loss of life, environ- 
mental damage, transportation system disruption, or economic disruption in a 
particular area, as defined in 46 U.S.C. § 70101. The term economic disruption 
does not include a work stoppage or other employee-related action not related 
to terrorism and resulting from an employer-employee dispute. 

2. Improper transportation of a hazardous material under 49 U.S.C. § 5124, or 
a state law that is comparable. 

3. Unlawful possession, use, sale, distribution, manufacture, purchase, receipt, 
transfer, shipping, transporting, import, export, storage of, or dealing in an ex- 
plosive or explosive device. An explosive or explosive device includes, but is not 
limited to, an explosive or explosive material as defined in 18 U.S.C. §§232(5), 
841(c) through 841(f), and 844(j); and a destructive device, as defined in 18 
U.S.C. § 921(a)(4) and 26 U.S.C. § 5845(f). 

4. Murder. 

5. Making any threat, or maliciously conveying false information knowing the 
same to be false, concerning the deliverance, placement, or detonation of an ex- 
plosive or other lethal device in or against a place of public use, a state or gov- 
ernment facility, a public transportations system, or an infrastructure facility. 

6. Violations of the Racketeer Influenced and Corrupt Organizations Act, 18 
U.S.C. §1961, et seq. , or a comparable state law, where one of the predicate 
acts found by a jury or admitted by the defendant, consists of one of the crimes 
listed in paragraph 49 C.F.R. § 1572.103(a). 

7. Attempt to commit the crimes in paragraphs listed under 49 C.F.R. 
§ 1572.103(a)(1) through (a)(4). 

8. Conspiracy or attempt to commit the crimes in 49 C.F.R. § 1572.103(a)(5) 
through (a)(10). 

The interim disqualifying felonies. 

1. Unlawful possession, use, sale, manufacture, purchase, distribution, receipt, 
transfer, shipping, transporting, delivery, import, export of, or dealing in a fire- 
arm or other weapon. A firearm or other weapon includes, but is not limited 
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to, firearms as defined in 18 U.S.C. § 921(a)(3) or 26 U.S.C. § 5845(a), or items 
contained on the United States Munitions Import List at 27 CFR §447.21. 

2. Extortion. 

3. Dishonesty, fraud, or misrepresentation, including identity fraud and money 
laundering where the money laundering is related to a crime described in 49 
C.F.R. § 1572.103(a) or (b). Welfare fraud and passing bad checks do not con- 
stitute dishonesty, fraud, or misrepresentation for purposes of this paragraph. 

4. Bribery. 

5. Smuggling. 

6. Immigration violations. 

7. Distribution of, possession with intent to distribute, or importation of a con- 
trolled substance. 

8. Arson. 

9. Kidnapping or hostage taking. 

10. Rape or aggravated sexual abuse. 

11. Assault with intent to kill. 

12. Robbery. 

13. Fraudulent entry into a seaport as described in 18 U.S.C. § 1036, or a com- 
parable state law. 

14. Violations of the Racketeer Influenced and Corrupt Organizations Act, 18 
U.S.C. § 1961, et seq., or a comparable state law, other than the violations listed 
in paragraph 49 C.F.R. § 1572.103(a)(10). 

15. Conspiracy or attempt to commit the interim disquahf 3 dng felonies. 


Appendix V: Comparison of Authentic and Counterfeit TWICs 
Figure 1: Comparison of Authentic and Counterfeit TWICs 

Details from this section were removed because the agency deemed them to be 
sensitive security information. 


Appendix VI: Comments from the Department of Homeland Security 

U.S. Department or Homeland Security 

Washington, DC, May 5, 2011 

Mr. Stephen M. Lord, 

Director, Homeland Security and Justice Issues, 

U.S. Government Accountability Office, 

Washington, DC. 

Dear Mr. Lord: 

Re: GAO-11-657, Draft Report, Transportation Worker Identification Credential: In- 
ternal Control Weaknesses Need to be Corrected to Help Achieve Security Ob- 
jectives 

Thank you for the opportunity to review and comment on this draft report. The 
U.S. Department of Homeland Security (DHS) appreciates the U.S. Government Ac- 
countability Office’s (GAO’s) work in planning and conducting its review and issuing 
this report. 

Transportation Worker Identification Credential (TWIC) is a vital security pro- 
gram that is jointly administered by the U.S. Coast Guard (USCG) and the Trans- 
portation Security Administration (TSA). TSA is responsible for enrollment, vetting, 
and card production, with the support of the U.S. Citizenship and Immigration 
Services, while the USCG governs access control requirements and has primary re- 
sponsibility for enforcement. As of March 2011, TSA has enrolled and vetted more 
than 1.8 million maritime workers. As a result of DHS’s rigorous vetting process, 
35,661 individuals were denied from receiving a TWIC. DHS agrees that more work 
is needed to strengthen existing security controls and has begun efforts to address 
many of the GAO’s findings. 

DHS Increasing Applicant Identity Verification Controls 

DHS is working to strengthen controls around applicant identity verification in 
TWIC, knowing that document fraud is a vulnerability to credential-issuance pro- 
grams across Federal, state, and local governments, and the private sector. To es- 
tablish identity and proof-of-citizenship, TWIC leverages documents issued by mul- 
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tiple Federal, state, and local entities. However, a government-wide infrastructure 
does not exist for information sharing across all entities that issue the breeder docu- 
ments that relying parties use to positively authenticate an identity. TWIG follows 
best practices to mitigate the risks from not having visibility or control of the phys- 
ical characteristics or the issuance process for these documents. Specifically. TWIG 
uses document authentication readers and requires fraudulent document training of 
its Trusted Agents as safeguards against document fraud. 

TWIG will benefit from national efforts to strengthen identity documents. For ex- 
ample, DHS continues to work with the states to implement the requirements of the 
REAL ID Act for more secure driver’s licenses, as well as the underlying issuance 
processes and procedures. Furthermore, efforts are underway in the Federal Govern- 
ment, state vital records agencies, and departments of motor vehicles to enhance se- 
curity related to core breeder documents, such as birth certificates, which would as- 
sist in positive authentication. 

TSA is also actively engaged with the DHS’s United States Visitor and Immigrant 
Status Indicator Technology (US-VISIT) program to include TWIG applicant data 
into the US-VISIT database, referred to as IDENT. Biometrics placed in IDENT are 
linked to specific biographic information, enabling a person’s identity to be estab- 
lished and then verified by the U.S. Government. 

TWIG is also strengthening safeguards against cards being misused after 
issuance. An upcoming USGG rulemaking will include a requirement for electronic 
verification of the TWIG card through use of card readers. The use of electronic 
readers will provide the port or facility authority in charge of access control deci- 
sions with a higher level of assurance that the TWIG presented is authentic, valid 
(not revoked), and unexpired. 

DHS Working to Continually Verify TWIG Holder Eligibility after Issuance 

DHS strongly agrees on the value of recurrent vetting. DHS is making progress 
in the effort to reasonably assure that TWIG holders have maintained their eligi- 
bility once issued their "rWIGs. TSA conducts recurrent checks of TWIG holders 
against the Terrorist Screening Database and other databases. TSA has the author- 
ity to revoke TWIGs based on the results of recurrent vetting, and use of card read- 
ers for electronic verification will strengthen the effectiveness of these processes. 

In order to provide the most robust recurrent vetting against criminal history 
records, TSA needs full access to Griminal History Records Information (GHRI), 
similar to that of a criminal justice agency or law enforcement officer; this informa- 
tion is available at the state level and accessed via the Interstate Identification 
Index managed by the U.S. Department of Justice, Eederal Bureau of Investigation 
(EBI). Although 'TSA receives some GHRI when it sends fingerprints to the EBI for 
initial vetting, the EBI does not perform recurrent vetting of GHRI on behalf of 
TSA. The EBI has deemed that 'TSA’s security threat assessments for TWIG are 
non-criminal justice activities. As a result, TSA is unable to request subsequent 
GHRI for recurrent vetting without a submission of new fingerprints from the indi- 
vidual. Additionally, TSA may not always receive all available information because 
of the FBI’s designation as “non-criminal justice” purposes for TSA security threat 
assessments. States may not upload all available information into the FBI biometric 
system and may not respond to GHRI requests for “non-criminal justice” activities. 
DHS has and will continue to work with the FBI and states to try to expand access 
to the GHRI. 

While not a final solution to the challenge of recurrent criminal vetting, including 
TWIG data in IDENT would provide a framework to initiate more recurrent vetting 
on GURL, where available, for TWIG holders. In addition to supporting identity 
verification, biometric data from IDENT is used to conduct vetting against criminals 
and immigration violators. TSA and US-VISIT are working to include TWIG data 
in the IDENT database. 

DHS Clarification on GAO Breaches of MTSA-Regulated Ports 

DHS would also like to address aspects of GAO’s covert operation defined in the 
report that we believe warrant further clarification. 

DHS believes that the focus on access to port areas rather than access to indi- 
vidual facilities can be misleading. Specifically, the report states that GAO inves- 
tigators successfully penetrated ports between August 2009 and Eebruary 2010. 
However, the report does not breakdown the number of facilities to which GAO at- 
tempted to gain access within each port area. Each port is unique in design and 
operation — ranging from some ports housing hundreds of individual facilities spread 
over a large geographic area to other ports containing only a few facilities in a small 
geographic area with one main access control point. While GAO stated that it did 
not require its covert investigators to record the individual attempts to access facili- 
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ties, investigators indicated during discussions with USCG that they were successful 
in gaining unauthorized access at some individual facilities within the port areas. 
The presentation of breaches at port versus individual facilities paints a more trou- 
blesome picture of the actual breaches that occurred. 

Third, the report does not distinguish among fraud committed with counterfeit 
TWIG cards, authentic TWIG cards obtained with fraudulent documents, and access 
control decisions made by facility personnel. Each type of fraud has a different miti- 
gation technique. The fact that a Facility Security Officer does not question what 
appears to be a valid card should not be intertwined with cases in which a counter- 
feit card was presented to gain access. Because there is no granularity within the 
report as to when a specific card was used, one can be left with the unsupported 
impression that individual facilities in all cases were failing to implement TWIG vis- 
ual inspection requirements. Or, as written in this report, that ports failed to prop- 
erly implement these requirements. 

Recent Developments 

The GAO audit was beneficial in helping DHS identify immediate actions that 
could strengthen the effectiveness of the TWIG program. 

TSA has already taken steps to remedy some of the missing internal controls that 
GAO has identified. Starting in January 2011, the TWIG program initiated a 100- 
percent review of all fingerprint matches received in the system. These matches 
could highlight potential fraud in the TWIG enrollment process where one indi- 
vidual could be attempting to enroll under a different identity and possibly with 
fraudulent documents. During this process, the TWIG program has already referred 
numerous cases to our Law Enforcement Investigations Unit where investigations 
are under way. 

On Eebruary 14, 2011, USGG Headquarters published additional guidance to field 
units regarding the importance of TWIG inspections and verifications. The guidance 
directed Gaptains of the Port to place a higher priority on the review and validation 
of TWIG verification procedures during the required Maritime Transportation Secu- 
rity Act (MTSA) security inspections. Additionally, the guidance encouraged Gap- 
tains of the Port and the Facility Security Officers to take advantage of training 
aids regarding the identification of fraudulent TWIGs published on Homeport-the 
USGG’s Internet site for maritime information. 

As previously mentioned, the USGG is currently developing an upcoming rule- 
making that will include a requirement for card readers at ports and facilities. The 
TWIG program has completed a pilot that evaluated using card readers for elec- 
tronic verification of the TWIG card. DHS believes that electronic verification of 
TWIG cards will significantly enhance protection against counterfeit, tampered, or 
expired TWIG cards being used to gain access to secure facilities. 

TSA is in the initial phases of a modernization effort for its vetting infrastructure. 
This effort is aimed at consolidating systematic processes related to conducting 
background checks with the goal of improving the overall security and consistency 
of our enrollment and vetting processes. As the modernization effort moves forward, 
the TWIG program will continue to be heavily involved to ensure that any internal 
control gaps or risks are addressed or further mitigated. 

GAO Recommendations 

DHS takes the findings of this review very seriously. DHS strongly believes that 
TWIG has an overall effect of strengthening the security of our nation’s ports. We 
also acknowledge and appreciate GAO’s work to identify opportunities to enhance 
current program controls. We recognize that breaches did occur and that the De- 
partment and port facility owners and operators need to take steps to enhance secu- 
rity. DHS appreciates the opportunity to provide GAO with comments to its audit 
recommendations. 

“To identify effective and cost efficient methods for meeting TWIG program objec- 
tives, and assist in determining whether the benefits of continuing to implement 
and operate the TWIG program in its present form and planned use with readers 
surpass the costs, we recommend that the Secretary of Homeland Security take the 
following four actions: 

Recommendation 1 : Perform an internal control assessment of the TWIG program 
by: (1) analyzing existing controls, (2) identifying related weaknesses and risks, and 
(3) determining cost-effective actions needed to correct or compensate for those 
weaknesses so that reasonable assurance of meeting TWIG program objectives can 
be achieved. This assessment should consider weaknesses we identified in this re- 
port, among other things, and include: 
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• strengthening the TWIC program’s controls for preventing and detecting iden- 
tity fraud, such as requiring certain biographic information from applicants and 
confirming the information to the extent needed to positively identify the indi- 
vidual, or implementing alternative mechanisms to positively identify individ- 
uals; 

• defining the term extensive criminal history for use in the adjudication process 
and ensuring that adjudicators follow a clearly defined and consistently applied 
process, with clear criteria, in considering the approval and denial of a TWIC 
for individuals with extensive criminal convictions not defined as a permanent 
or interim disqualifying offense, and; 

• identifying mechanisms for detecting whether TWIC-holders continue to meet 
TWIC disqualifying criminal offense and immigration-related eligibility require- 
ments after TWIC issuance to prevent unqualified individuals from retaining 
and using authentic TWICs.” 


Response: Concur. DHS agrees that an internal control assessment should and 
will be performed. Once the final GAO report is issued, DHS will initiate a com- 
prehensive review of current internal controls with a specific focus on the controls 
highlighted in this report. In the interim, TSA and USCG are evaluating and imple- 
menting new internal controls as discussed in this letter. 

Recommendation 2: “Conduct an effectiveness assessment that includes address- 
ing internal control weaknesses and, at a minimum, evaluates whether use of TWIC 
in its present form and planned use with readers would enhance the posture of se- 
curity beyond efforts already in place given costs and program risks.” 

Response: Concur. DHS agrees that the results of the internal control assessment 
should be used to further evaluate the effectiveness of the TWIC program. 

Recommendation 3: “Use the information from the internal control and effective- 
ness assessments as the basis for the evaluating the costs, benefits, security risks, 
and corrective actions needed to implement the TWIC program in a manner that 
will meet stated mission needs and mitigate existing security risks as part of con- 
ducting the regulatory analysis on implementing a new regulation on the use of 
TWIC with biometric card readers.” 

Response: Concur. As the internal control assessments progress, any applicable 
data or risks will be communicated to USCG for consideration during their regu- 
latory analysis. 

Recommendation 4: “Direct the Commandant of the Coast Guard to design effec- 
tive methods for collecting, cataloging, and querying TWIC-related compliance 
issues to provide the Coast Guard with the enforcement information needed to as- 
sess trends in compliance with the TWIC program and identify associated 
vulnerabilities.” 

Response: Concur. USCG has already incorporated changes to its current version 
of Marine Information for Safety and Law Enforcement (MISLE) to enhance data 
collection since the TWIC compliance date of April 15, 2009. Incorporation of addi- 
tional changes is planned in a future release of MISLE that will add to current ca- 
pabilities to collect data and allow for more detailed trend analysis. 

Again, thank you for the opportunity to review and comment on this draft report. 
We look forward to working with you on future Homeland Security issues. 

Sincerely, 


Jim H. Crumpackee, 

Director, Departmental GAO/OIG Liaison Office. 


Appendix VII: GAO Contact and Staff 
Stephen M. Lord at (202) 512-4379 or at lords@gao.gov 

Staff Acknowledgments 

In addition to the contact named above, David Bruno (Assistant Director), Joseph 
P. Cruz, Scott Fletcher, Geoffrey Hamilton, Richard Hung, Lemuel Jackson, Linda 
Miller, Jessica Orr, and Julie E. Silvers made key contributions to this report. 

Senator Lautenberg. Thank you very much, Mr. Lord. 

It’s astounding to hear your testimony and see the large percent- 
age of those really not qualified to receive the card. And then you 
said, being convicted of a felony does not automatically disqualify 
a person from being eligible. And it goes on to detail what kind of 
offenses: espionage, treason, other offenses, such as murder or the 
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unlawful possession of explosive device. It sounds like we’re not at- 
tracting, always, the kinds of applicants that would qualify to get 
a card. And that’s a tough outcome for something that ought to be 
done much differently. 

Through your covert testing, you said you were able to obtain 
fraudulent TWIG cards, and access secure facilities using these 
cards. Now, what kind of threats are these to our ports and our 
other secure facilities? 

Mr. Lord. Well, in our report today, we reference a 2008 Coast 
Guard assessment, in which it states, very clearly, al Qaeda con- 
siders U.S. ports and facilities to be legitimate targets. Perhaps the 
Coast Guard witness could expound on that. But, that to us, that’s 
why this issue is important. 

Senator Lautenberg. The fact of the matter is that there’s a 
question that invites a view of the magnitude of the problems that 
are involved in having something that can be stabilized and relied 
upon. And I wonder what other kinds of approaches there might 
be in order to get this to be an easier program to manage — one 
that’s more reliable. Anyone want to make a quick suggestion here 
on that regard? 

Mr. Pistole? 

Admiral CooK. Mr. Chairman, I would just go back a little bit 
in history. I happen to have been the Captain of Port for the Hous- 
ton-Galveston area during 9/11. And at that time, when we tried 
to bring into account — actually, before the MTSA, but certainly rec- 
ognizing that access control was very, very important — that we 
tried to find a document that could be universally recognized from 
facility to facility which, typically, would have their own card. 
Sometimes they would recognize driver’s license. Sometimes they 
would recognize other Federal ID cards. That was a very important 
thing for us to address early on. So, as we move from that initial, 
you know, implementation, and realizing that we needed to have 
more secure ports in the future, looking forward to one card that 
could be universally recognized, that guards could be trained to 
recognize, security features could be built in. And I think that that 
has been viewed as a very good thing. The Coast Guard actually 
looks forward to the opportunity to maximize that card through the 
use of card readers, which will then provide an additional level of 
verification, authentication, and validation. But — so, I — from my 
point of view, I would say that the card has introduced a signifi- 
cant amount of security, and certainly with my past experience 

Senator Lautenberg. Well, but there is — ^Admiral, there is a 
suggestion that, in some ways, we might have not gained on it, and 
exposed ourselves to more difficult problems in the future. 

So, Mr. Pistole, before we discuss TSA’s effort to address port se- 
curity, it was discovered that al Qaeda was planning an attack on 
a U.S. rail line. To date, TSA’s efforts on rail security have been 
delayed and nearly nonexistent, compared to aviation security. In 
light of this information, what immediate steps are we taking to in- 
crease rail security measures? 

Mr. Pistole. Thank you, Mr. Chairman. Well, obviously, as soon 
as we got the word from the document exploitation from the bin 
Laden raid and the killing of bin Laden, we engaged, particularly, 
with our partners in the rail security, particularly Amtrak for the 
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Northeast Corridor, but all passenger and freight rail, noting the 
context for this information, coming from February of last year, 
and talking about an attack on passenger rail for the 10th anniver- 
sary of 9/11. So, it’s still months away. But, we passed that infor- 
mation immediately and then worked with, particularly, Amtrak 
Police, and others, in terms of what they were doing, in terms of 
additional random, unpredictable patrols, both uniformed officers, 
canines, explosive trace detection — all those things that would 
serve as a deterrent, knowing that the three things the terrorists 
are looking for, in terms of deterrent, are additional police patrols, 
additional canines, or closed-circuit television cameras, as long as 
they’re not suicide bombers, as we saw in London, on July 5 and 
21 of 2005. 

So, that’s what we have done. We’re obviously very much inter- 
ested in the Transportation Security Grant Program and the out- 
come of Congress’s decision on that, in terms of where that will 
be — how much money we’ll have to support both the training ef- 
forts and the additional efforts that I’ve mentioned, in terms of 
things such as infrastructure protection, whether it’s the Port Au- 
thority, Trans-Hudson, the PATH tunnels that you’re so familiar 
with, shoring up those vulnerabilities, and other issues. So, those 
are some of the things we’ve done since that announcement. 

Senator Lautenberg. Senator Boozman. 

Senator Boozman. Thank you, Mr. Chairman. 

Mr. Lord, how much money has been spent on the project? 

Mr. Lord. Since the inception of the program, it’s approximately 
$420 million. And that includes $111 million in direct appropria- 
tions, $112 million in grants, including port security grants and 
transit security grants, and approximately $198 million raised in 
fees. Once you apply for a TWIC, you’re to pay $132.50. So, that 
represents a significant share of the program proceeds. 

Senator Boozman. After looking, the ability to essentially very 
easily obtain a TWIC fraudulently, the fact that it looks like — am 
I reading it right? — of the 1,676,000, 460,000 — over 460,000 crimi- 
nals, only one has been denied? 

Mr. Lord. Actually, we didn’t have full visibility over that, but 
that’s our understanding. Most — ^virtually all were approved, and 
the one was denied, as part of that adjudication process; once de- 
rogatory information is identified in the application process. That’s 
our understanding, which we include in our report. 

Senator Boozman. Based on your investigation, would a normal 
driver’s license from the states, now, that are required to do the — 
you know, much more background check than they used to, as far 
as who you are — would that be more secure identity than the 
TWIC card? Or, is it at least as secure? 

Mr. Lord. It’s at least as secure, probably, in many cases, more 
secure. That’s our point. 

Senator Boozman. We’ve spent all this money, and right now — 
up to now, what we have is less secure than a driver’s license. 

Mr. Lord. Yes. And that was the purpose of our report, quite 
frankly. We identified some design flaws in the system — some 
holes. We think they can be patched. And we also raised an issue 
of facility training. The security guards play a key role in the proc- 
ess, and they, perhaps, need to be provided some additional train- 
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ing. They’ll need to be a little more rigorous in scrutinizing the cre- 
dentials, which are currently being used as a flash pass only. The 
biometric reader, that’s the next stage of the program. 

Senator Boozman. And I guess. Admiral Cook, I would take ex- 
ception to your remark about the TWIG card making us — you 
know, that we’ve had improvement by having it. And you can com- 
ment on this, too, Mr. Lord, and you, Mr. Pistole. But, the fact that 
we have this card that means nothing, or very little, because Mr. 
Lord’s group has demonstrated it’s very easy to get around it — to 
me, it makes us less secure than ever, because when your guys 
check this card, they, in good faith, feel like they’re dealing — you 
know, this system — they have no idea that the card wasn’t valid — 
then it gives them a false sense that they really shouldn’t have at 
this point. Is that true or false? 

Admiral CooK. Senator — and this is not to be argumentative in 
any way — the — I pretty — I’m starting, pre-9/11, in my mind. But, 
then one of the things that — as I said, we’re looking forward to 
being able to move to the electronic reader. And what the Coast 
Guard has done to try to move ahead on that is, we deployed over 
200 portable readers so that we can take advantage of that bio- 
metrics. It still does not account for someone that had a TWIC ob- 
tained based on fraudulent documents, because then the — biomet- 
ric in the card. 

Senator Boozman. The point is, it’s so easy to obtain these things 
fraudulently. 

Admiral Cook. Well, the — as the mariners and workers 

Senator Boozman. And this is not your problem. You’re just the 
guy that’s checking. I don’t 

Admiral Cook. Right. 

Senator Boozman. But, again, I think it puts — ^you’re all at a dis- 
advantage. 

Mr. Lord, who initiated the GAO study? 

Mr. Lord. It was this committee and eight other Congressional 
committees. 

Senator Boozman. Did you find any evidence, as you were inves- 
tigating, that anybody — the Coast Guard, TSA — were concerned 
absent this prior to your investigating the — was this — did this seem 
something that was at the top of their radar, as far as concerns 
about safety and security in this area? 

Mr. Lord. Oh, I think, absolutely, it was on their agenda; it was 
on their radar. But just contextually, we have completed a large 
body of work on TWIC-related issues over the last 5 years. We’ve 
worked very closely with TSA and the Coast Guard on this. We 
have a good, collaborative relationship, and they have taken steps 
to address some of the issues we identified in our report. 

Senator Boozman. Mr. Pistole, who in your agency — I find it re- 
markable — ^you know, if you talk to the truckers and people like 
that, you know checking records — and just employers, in general, 
you know, with drug screenings and — this doesn’t have anything to 
do with drug screenings — but, just in general, checking people out, 
whether or not they’re going to drive a schoolbus or whatever — it’s 
remarkable that, of your people with a criminal record, there’s such 
a low, low, low percentage of people that were flagged. Who in your 
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agency — who’s responsible for that? What entity within TSA is re- 
sponsible for making that decision? 

Mr. Pistole. Well, of course, I’m responsible, overall, but the 

Senator Boozman. No, but you don’t check 

Mr. Pistole. Yes. 

Senator Boozman. — these things off. 

Mr. Pistole. Right. But 

Senator Boozman. Who does that? 

Mr. Pistole. — TTAC, which is our credentialing group, is respon- 
sible for that. 

And just, if I could. Senator 

Senator Boozman. So, what is the name of that group? 

Mr. Pistole. TTAC. It’s T-T-A-C, the credentialing group. 

And just for context, I think — so, I would say — I agree with a 
number of your comments — I would say we are more secure from 
the standpoint of, prior to any of these cards, somebody could use 
a driver’s license, a union card, whatever it may be, that they just 
used to get access to the ports, with no 

Senator Boozman. Mr. Lord has just testified that a driver’s li- 
cense is more secure than the card. 

Mr. Pistole. So, if I could just finish, there — without any back- 
ground check, necessarily — and so, at least, we’re doing background 
checks now. Obviously, there are statutory provisions for people 
with criminal histories. And just by the nature of the workforce, a 
number of dockworkers may have had some criminal history. 
So 

Senator Boozman. Right. 

Thank you, Mr. Chairman. 

Senator Lautenberg. Thank you very much. 

Senator Begich? 

STATEMENT OF HON. MARK BEGICH, 

U.S. SENATOR FROM ALASKA 

Senator Begich. Thank you very much, Mr. Chairman. 

First, I want to thank you. Administrator Pistole, for one pro- 
gram called “Enroll Your Own,” which is very important in our 
rural parts of Alaska, as you know. In order to have people to get 
the TWIC card is very expensive, complex for — and the travel in 
some of our fishing communities. And so, first I want to say thank 
you for that. We do have some suggestions we want to share with 
you — we’ll do it for the record — from our police departments, who 
you work with. 

Mr. Pistole. Good. 

Senator Begich. And I think they have some very positive sug- 
gestions that I would hope you would consider as you continue to 
roll this program out. 

Mr. Pistole. Sure. 

Senator Begich. And I just want to issue a cautionary note, on 
the discussion here on criminal records and so forth — ^you hinted to 
it — in some of these industries, not everyone’s going to have a stel- 
lar background, but are working in jobs that pay sometimes very 
low wages, and a variety of other things. So, I know that’s a careful 
balance that you have to have. 
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My concern — and I don’t know who wants to answer this. Let me, 
first, start with one example. And I may he a little off, here, but 
I’m using an example from my own — one of my own staff people, 
a loaner from one of the agencies, NOAA. Because he works on a 
ship and works on a dock, he goes through a whole process to get 
his card, his common access card — fingerprinting, all the 9 yards. 
Then he has to get a TWIG card, go through the same process. 
That seems such a simple fix, that if you’ve got a Coast Guard per- 
son that’s required to go through and get their card, or a NOAA 
person, or any of these Federal agencies or government agencies, 
like a police department or maritime enforcement office, depending 
on if you’re a coastal area, that, once they’ve done that, they 
shouldn’t have to repeat that. Is that an easy fix that you can do? 

Mr. Pistole. I will take that. Senator. It’s not easy, unfortu- 
nately, but you’ve identified a key issue which is really overriding 
all these individual issues that we’re talking about here today, and 
that’s not only for the whole U.S. Government, in terms of having 
a universal access card, whatever that may be — of course every 
state has different standards. The National Institute of Standards 
Technology, of course, sets some standards that we abide by. But, 
that’s the challenge that we deal with, that this goes — even in my 
last job, at the FBI, where there were all types of fraudulent docu- 
ments because of differing standards by state and the federal gov- 
ernment. 

Senator Begich. But, you’ll probably never get to the unified 
card of any kind. So, we have to take that as a given, even though 
I know, from a law-enforcement — as someone who was a mayor 
that managed a police department, you know, they would love to 
have one card, one place, one location. But, that will never happen, 
because of states’ rights, and many other things. But, it seems, 
even in the Federal agencies — I think if a NOAA person or a Coast 
Guard person or — pick the agency — that goes through this already, 
that they shouldn’t have to go through it again. 

Mr. Pistole. So, there’s 

Senator Begich. First, let me ask, does that make sense, that 
logic? 

Mr. Pistole. Yes. 

Senator Begich. OK. 

Mr. Pistole. Absolutely. 

Senator Begich. So, why not figure out — I know what we’d like 
to do, it seems, in the federal government, as I’ve learned now, is 
always get the big pitch, try to do it all at once, and do everything, 
which is disastrous. Example A, $300 million. You know, maybe 
we’ll learn a little bit out of this. But, it seems like — why don’t we 
just take one piece of the pie and try to deal with it and get it to 
work, rather than this holistic, which — you know, it sounds like an- 
other contractor making a lot of money on a system that doesn’t 
work, that we’ll probably never recoup anything from, and then 
they’ll charge us more to do some more work. 

Mr. Pistole. So, I agree, completely. 

Senator Begich. It’s the 

Mr. Pistole. You would think. Senator 

Senator Begich. — the federal M.O. 
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Mr. Pistole. Right. So, we are working on some proposed rule- 
making that would help in that regard. Obviously, industry has a 
lot of interest and input into that. And so, as we work through this, 
unfortunately I believe it’s a longer-term rather than a short-term 
fix. But, I agree completely with your philosophical approach of try- 
ing to consolidate and make it more efficient and effective for those 
who need these access cards. 

Senator Begich. And then — but, I just give you a cautionary 
note. The standard thought is, “Well, let’s try to figure out all the 
Federal — just take the Coast Guard, get them cleared up. Get the 
NOAA, get them cleared up.” In other words, piecemeal it out so, 
each one, you’re just trying to incrementally do. Is that a realistic 
approach, rather than this — it just makes me very nervous that 
we’re going to try to do all of it at once and then, maybe a year 
and a half or 2 years from now, we’ll have the same conversation, 
maybe with different people, maybe the same people, talking about 
more expense. Is that 

Admiral I don’t know who. Mr. Lord? Whoever. 

Mr. Lord. No, it makes perfect sense. I believe you’re referring 
to consolidating the so-called security threat assessment process. 
Typically, when you go in for a credential now, they’ll run a STA 
on you. To complete an STA, you may need another credential. 
They’ll do it again. What they’re doing is accessing the same — es- 
sentially, the same databases. So, they have an effort. They just 
started. They’re trying to consolidate that. So, they, the Depart- 
ment of Homeland Security, wholeheartedly would agree with your 
position. And they’re already taking steps to do that. Initial steps. 
But, that’s the vision. You want to consolidate 

Senator Begich. Right. 

Mr. Lord. — all that so-called background-checking process, and 
just have one person, one check 

Senator Begich. Right. 

Mr. Lord. — rather than having one person, multiple checks. It’s 
currently 

Senator Begich. Doesn’t make sense, that latter part. 

Mr. Lord. — inefficient, and it costs the consumer, the person ap- 
plying for the card, more money. 

Senator Begich. Let me just end with one question. The people 
that initiated this process — I know it wasn’t under some of you 
folks, because some of you are new, obviously — but, the people 
below you who deal with all this, are they the same people that ini- 
tiated this process, or are they new people? And the reason I ask 
that, sometimes — you know, there’s my question. Because, I just 
heard a little knock on — to the left. 

[Laughter.] 

Senator Begich. Yes or no? 

Mr. Pistole. Yes, mostly the same people. 

Senator Begich. That’s a problem. I’ll leave it at that. 

Senator Lautenberg. Thank you very much. 

Senator Wicker. 

STATEMENT OF HON. ROGER F. WICKER, 

U.S. SENATOR FROM MISSISSIPPI 

Senator Wicker. Thank you. 
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Gentleman, the results of the GAO report, I must say, are abso- 
lutely breathtaking. TSA has failed to implement and evaluate the 
TWIG Program in a way that provides reasonable assurance that 
only qualified individuals have access. GAO investigators were able 
to access secure facilities at U.S. ports during covert tests in which 
they presented either counterfeit TWIG cards, authentic TWIG 
cards, or cards obtained through fraud. GAO found that controls to 
identify the use of potentially counterfeit identity documents were 
not used to inform the background- checking process. TSA does not 
have clear criteria for applying discretionary authority to appli- 
cants who have past criminal convictions. And controls are not de- 
signed to determine whether cardholders have committed disquali- 
fying crimes at the federal and state level after being granted a 
TWIG. 

It seems to me that a decade of work has resulted in a system 
that would put Rube Goldberg to shame, and it almost argues for 
starting over from scratch and trying to design something that 
would work. I would mention again what Senator Boozman has 
pointed out, that of 460,000 TWIG applicants with a criminal 
record, TSA was able to deny access to one of those 460,000-plus 
applicants. I mean, it is absolutely astounding. But, the require- 
ment has succeeded in making things harder on the applicants. 
And I have a report here from a constituent group, regarding TWIG 
card applications and the two-trip requirement. And I’ll quote from 
this business, “The requirement that applicants make two trips to 
a TWIG enrollment center that may be hundreds of miles from 
their workplace or home represents a substantial burden on trans- 
portation workers across the country. A resident living in West 
Plains, Missouri, for example, must make, at minimum, two 350- 
mile round-trips to apply for and activate their card at the nearest 
enrollment center located in Memphis. Another worker in Merid- 
ian, Mississippi, must make, at minimum, two 267-mile round-trips 
to apply for and activate their card at the nearest enrollment cen- 
ter in Mobile.” 

So, for the honest worker who doesn’t have a criminal back- 
ground, he’s got to make two trips. Mr. Lord, is there some way, 
in your judgment, that we could devise a system that does not re- 
quire the two trips? I have confidence in the mail system. And it 
seems to me that receiving a card in the mail, then calling with 
secure information to verify that that card has been received, and 
then activated at that point, much like the credit cards are done, 
that something of that nature should be used to apply some com- 
mon sense to the honest people that are being inconvenienced, to 
the tune of hundreds of miles. 

Mr. Lord. No, that’s an excellent question, sir. We recently 
looked at that, whether you could simply mail a TWIG card to an 
applicant’s place of residence. It sounds easy. But, like many 
things, once you start looking into it, it’s a little more complicated. 
And what we found was, the current policy of the Department is 
to remain aligned with the so-called FIPS 201 standard. This is a 
biometric security standard that pertains to all government creden- 
tials. As long as the policy is to remain aligned with that standard, 
it would preclude you from mailing it to an applicant’s place of resi- 
dence. Why? Because you have to do a biometric match, in person. 
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to ensure security. That helps limit potential fraud. And it’s a key 
security enhancement. We had discussions with the NIST officials 
who crafted the standard — TSA, DHS; they agreed with our assess- 
ment. So, as long as that’s their policy, the current policy is to re- 
main aligned with that standard. Obviously, they could change the 
policy and have to reengineer their business processes, but as long 
as that policy remains unchanged, they cannot mail the TWIG to 
a person’s place of residence. 

To TSA’s credit, they did add some flexibility to the program. In 
February 2009, they allowed the applicant to designate what en- 
rollment center they’d like to pick it up. Sometimes people move. 
You apply for a TWIG in Seattle, say, and move to Memphis. You 
can now say, “Fd like to pick up my card in Memphis,” without 
having to drive all the way back to Seattle. So, there has been 
some effort to respond to the needs of applicants. But, I cannot 
criticize them for requiring the in-person biometric match. That’s 
a key part of the process. 

Senator Wicker. Well, I would just simply suggest, as I yield 
back, that there are so many aspects of this program that are obvi- 
ously going to have to be rethought, that we ought to put up the 
best minds in the country on some way to make this less burden- 
some on the honest folks that actually do comply. 

Thank you. 

Mr. Pistole. Mr. Ghairman 

Senator Lautenberg. Yes. 

Mr. Pistole. I’m sorry. 

Senator Lautenberg. I’m sorry. Yes. 

Mr. Pistole. If I may just respond on the one part to the Sen- 
ator’s question 

Senator Lautenberg. Sure. 

Mr. Pistole. — just briefly. 

Senator on the one denial, the overall numbers — we’ve actually 
denied over 35,000 people, for various disqualifying criteria. The 
one you’re referring to is one who is an individual who had several 
criminal convictions, none of which was individually disqualifying, 
but, taken in totality, was disqualifying. So, it has actually been 
over 35,000. So, that’s the whole purpose of that. We’ve also had 
several people who, it turned out, are on the terrorist watch list, 
who’ve applied for TWIG card, that have also been denied. And I 
could go into more detail in a closed setting on that. 

Senator Lautenberg. Thank you. 

Senator Snowe. 

STATEMENT OF HON. OLYMPIA J. SNOWE, 

U.S. SENATOR FROM MAINE 

Senator Snowe. Thank you, Mr. Ghairman. 

And just to follow up on the question on the enrollment centers 
which is obviously a problem in a state like Maine, where we only 
have two enrollment centers, one in Bangor and one in Portland. 
So, I’m going to explore with you the issue of distance. Do have you 
have any information regarding the impact it has on these workers 
to go long distances in order to secure the card and then have to 
go back and get it approved, and so on, and requiring two different 
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trips for these identity cards? And so, do you have any information 
on that? Who’s 

Mr. Lord. Just to clarify, we audited the program, but we did 
speak to many applicants. And that was a persistent pain point, 
having to make two trips to get your credential. And I know there 
has been various discussions about how to mitigate that. They have 
portable enrollment centers. You can move certain enrollment cen- 
ters around the country. But, again. I’m from GAO, not TSA. So, 
that’s probably a better question for TSA. 

Senator Snowe. Mr. Pistole? 

Mr. Pistole. So, Senator, yes, it’s clearly less than ideal for most 
persons who are not located close. I have a map of where the per- 
manent enrollment centers are. And, of course, they’re located 
where most of these workers that would need them. We’ve also 
done several dozen of the mobile centers. And if there’s a need in 
Maine that you’ve identified that would need one of these mobile 
centers. I’d be glad to take a look at that to try to facilitate that. 
So, we’re — and also, by allowing the applicants to pick up their 
card at a different location, as noted, because they do move around 
and are — work in different places, it is a challenge, in trying to 
comply with the NIST standards, in terms of the best security, 
while also providing for the best convenience. So, that’s the dy- 
namic we deal with. 

Senator Snowe. Well, there is obviously a gap between the en- 
rolled and the activated. So, is it your surmisal that they travel 
from one place to another — activate at one — enroll in one area and 
activate it in another location? 

Mr. Pistole. Some of the applicants request that, because 
they’re jobs have changed 

Senator Snowe. Do they have to get prior approval for doing 
that? 

Mr. Pistole. You know, I don’t know that. I’ll have to check on 
that. 

Senator Snowe. Well, somehow, we’re going to just have to make 
this simpler. I just think it’s cumbersome and bureaucratic. I 
mean, only 167 centers nationwide. So, it just — there must be a 
better way. I mean, I think about the amount of money that has 
already been spent on this program. Frankly, I think — the Chair- 
man and I are probably one of the few members that were here on 
the Committee post-9/11, working on this very issue, and this was 
one of the issues that was identified as a priority. And that was 
back in the aftermath of 9/11. In 2002, we began this process. I 
think it was then former President Bush identified as, you know, 
having the identity of these workers established, and developing a 
system. And we will have spent $3.2 billion, and we’ve yet to clear 
all the hurdles to say that it’s fully implemented and satisfied. 

And so, I think it’s — it — presenting enormous difficulties and 
complexity and failing to uphold the major standard, which is to 
confirm the identity of a cardholder. I mean, ultimately, that is not 
something that’s been achieved at this point, it seems to me. And 
so, now we’re going to spend all this money on biometric reading 
and digital devices, which are going to cost, as I understand it, up 
to $8,000 apiece. Is that correct? 

Admiral CooK. That is correct, yes. 
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Senator Snowe. It is. So — I mean, so there’s another monu- 
mental cost. And next year, we’re supposed to have — mandate the 
use of these cards. Are we going to be prepared for that? 

Mr. Pistole. So, that is one of our challenges. And that’s exactly 
why I’ve asked, along with Coast Guard and the Department, to — 
asking GAO to look the cost-benefit analysis of this whole program, 
because we do have hundreds of millions invested in it, between us, 
the U.S. Government, taxpayers, and industry. The question is, 
what’s our return on investment? Are we clearly safer? Yes, we are. 
But, at what cost? And so, that’s why we’ve asked for GAO to fol- 
low up on this. 

Senator Snowe. Well, I guess it’s a red flag for all of us in Con- 
gress. I mean, I think if it takes so long to get a program up and 
running, something must be truly wrong, and we’ve got to decide 
differently, because it has been the better part of the decade, obvi- 
ously, and we still haven’t completed it. And yet, it’s going to cost 
a great deal. I mean, it has been practically, what, from 2002 to 
2012, essentially, and we’re still not that much further ahead, in 
terms of where we need to be, and all the other problems that have 
been exposed. 

In 2006, I introduced an amendment to the SAFE Port Acts that 
required a GAO report to review the various background checks 
among various agencies. Now, is there any way that we can sort 
of synchronize these background checks, you know, so that we can 
have one unified background check, in credentials, for workers, in- 
stead of, you know, multiplicity? 

Mr. Pistole. So, that’s what 

Senator Snowe. Admiral Cook, and Mr. Pistole? 

Admiral CooK. Well, Senator 

Senator Snowe. Who’s in charge on this one? 

Admiral CooK. I’ll go ahead and 

Senator Snowe. OK. 

Admiral CooK. — step up. Senator. But, I think the — you know, to 
answer your question, we’re kind of at a pivotal time right now in 
the program, because the pilot reader program is being concluded. 
I don’t know if you were in here when we mentioned it would — the 
Administrator mentioned that that data for the final report will be 
closed out at the end of this month. And then that report will come 
over to the Coast Guard, and that will be part of the background 
for our notice of proposed rulemaking to establish the readers. 

So, I think, you know, in terms of the GAO audit, the work that 
has already been put into the TWIC, we are on the verge of being 
able to exploit the fundamental biometric data that we all wanted 
to achieve. And I know that the industry, who has been — you 
know, used to having the TWIC cards just flash passed us for the 
last few years, is anxious to move to that phase. They understand 
there’ll be some costs. They’re anxious to participate and help us 
get it right. And I think that’s what I can offer at this time. 

Senator Snowe. Well, is it going to be interoperable in any way? 
I mean, are you — talking about this, you know, electronic reader — 
is that all going to be interoperable with other systems within gov- 
ernment, or is it going to be stove-pipe? 

Admiral CooK. The standards are — should be set, such that they 
were — have the ability to read several different kinds of cards. And 
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that’s the — that will be a plus, right there. The — but, they’ll be fo- 
cused back to databases which relate to the TWIG, from what I un- 
derstand right now. But, as I say, as a pivotal point, we can start 
integrating different aspects that the GAO has brought to our at- 
tention and that we already have some internal programs for. 

Senator Snowe. Well, is it — can we understand, then, that 
there’s going to be harmonization of these security credentials, 
among agencies, or not? I guess that’s the question. 

Mr. Pistole? 

Mr. Pistole. So, that’s — Senator, that’s one of the things, at 
least within the Department of Homeland Security, the Secretary 
is focused on, to ensure that, for example, just within TSA, we do 
vetting and credentialing for up to 15 million people in 28 different 
categories. So, there’s a lot of that just within what we’re doing. 
And that’s what the Secretary is focused on. 

Senator Snowe. Thank you. 

I ask unanimous consent to include my statement in the record, 
Mr. Chairman. Thank you. 

Senator Lautenberg. Without any objection, certainly. 

[The prepared statement of Senator Snowe follows:] 

Prepared Statement of Hon. Olympia J. Snowe, U.S. Senator from Maine 

Thank you, Mr. Chairman for holding this hearing. As an original requestor of 
the GAO report presented today, I have great concerns about the Transportation 
Worker Identification Credential, or TWIC card, and the security of our nation’s 
ports. For nearly a decade we have been grappling with many port security ques- 
tions, and I think the report we see today identifies a need for review of current 
security practices. When we joined several of our colleagues to request this critical 
review of the TWIC, I believe you and I shared the view that when it comes to mari- 
time security, we can, and must do better to protect our country’s 360 ports and 
maritime facilities. 

Biometric identification cards for transportation workers were one of the first se- 
curity challenges addressed by Congress following September 11 in the Aviation and 
Transportation Security Act of 2001. In subsequent years, the mandate for identi- 
fication for port workers was amended several times to define the ID we now call 
the TWIC. Since 2007, more than 1.7 million truckers, merchant mariners, long- 
shoreman, and port workers have been issued these cards. Even the students at the 
Maine Maritime Academy have these $132 Federal security credentials to access the 
secure port facility on campus. 

Secure ID cards like the TWIC are vital in insuring that access to critical port 
facilities is restricted to known-persons. In 2004, President Bush issued Homeland 
Security Presidential Directive Number 12, which among other things, required the 
Federal Government to establish a standard for “secure and reliable forms of identi- 
fication” that must: (1) reliably identify an employee’s identity, (2) be resistant to 
tampering or counterfeiting, (3) be rapidly authenticated electronically, and (4) be 
issued by providers whose reliability has been established. Unfortunately, we can 
see from today’s report that the TWIC credential has failed on all counts. 

The truth of the matter is, the implementation of the TWIC card has not in- 
creased the level of security at our ports as designed, and has become another exam- 
ple of bureaucracy at its worst. Not only do the cards fail to accurately establish 
that transportation workers are who they say they are, they fail to work as de- 
signed, require an unwieldy process to obtain, and add yet another redundant cre- 
dential to the list of federal security cards. 

Today’s report indicates that the TWIC card may fail the first fundamental chal- 
lenge of a security credential- accurately confirming the identity of the cardholder. 
GAO investigators were able to obtain TWIC cards by misrepresenting themselves 
as natural born U.S. citizens and by presenting forged birth certificates and drivers 
licenses. We’re told that the documents presented can even be noted in the system 
as forgeries, but that these red flags are not accessible by the final adjudicator! 
Even if the TWIC processing center indicates a probable forgery, there is no path 
for review of the original documents presented. 
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Even worse, the production of a false card does not seem to be beyond the capa- 
bility of a common criminal. Since the cards are often used as “flash passes” where 
card holders simply wave the card at a gate agent, the cards only need a passing 
resemblance to the true card. GAO inspectors were able to enter port facilities with 
false cards, unchallenged on a number of occasions! The lack of digital verification 
of TWIG cards is a critical failure in ensuring the effective use of the credential, 
and we must move forward quickly in deploying cost effective, equipment designed 
for a marine environment. 

The TWIG cards have also so far failed to be rapidly authenticated electroni- 
cally — most are worn as another badge, or presented for visual inspection, often 
from a distance of several feet. And the deployment of mobile readers suitable for 
ports has been slow at best. The substantial Federal investment of more than $400 
million in the past 8 years, combined with the industry investment of approximately 
$200 million was designed to enhance and protect our nations ports, but I question 
if the program has been administered to provide the greatest security benefit. 

In the next year, a mandate for the use of TWIG card readers will begin to roll 
out, and we must ensure that we invest wisely in technology that will add to our 
security, and not just our bottom line. I would like additional information from our 
witnesses on the costs associated with the technology requirements, and how to best 
utilize the readers to maximize their security impact. 

The GAO report which we receive today also highlights significant concerns with 
the process used to vet applicants and reliably confirm the identity of individuals 
granted these security credentials. From asking workers to self identify a need for 
access to ports, and their place of birth, to incomplete verification of identity docu- 
ments, it is clear that the security process for reviewing TWIG applicants has sig- 
nificant loopholes. I look forward to hearing from Administrator Pistole how TSA 
plans to address the concerns noted in the report. 

Frustratingly, this is not only a security problem; the two separate visits needed 
to process TWIG credentials has a impact on trucking, shipping, and port workers 
and managers. Workers must first take the time to visit the enrollment center near- 
est them, which in some cases may be many miles away. At this time, Maine has 
only two TWIG enrollment centers of 167 nationwide. Students from the Maine Mar- 
itime Academy must travel the 50 miles from Gastine, where the Academy is lo- 
cated, to Bangor, where the nearest TWIG processing center is located to begin the 
application, and back to the center again several weeks later to activate and pick 
up their TWIG card. While most of these locations are at, or near busy ports, with 
a highly mobile work force, this is a poorly thought out process that does not mirror 
the distribution of other Federal documents like passports which can be mailed to 
applicants. 

Port workers, truckers, and other maritime professionals find themselves forced 
to obtain this additional security, often in addition to several other Federal issue 
identifications or endorsements. The TWIG is often carried in addition to Merchant 
Mariner Licenses, Merchant Mariner Gredentials, and Gommercial Drivers Licenses 
with Hazardous Materials Endorsements. How many times must the Federal Gov- 
ernment screen and provide access credentials to a single individual? Gan the de- 
partments of the Federal Government not work together to grant a single document 
to port and maritime workers to access and secure their workplace? 

In 2006, I offered an amendment to the SAFE Ports Act, which required GAO to 
look into these Federal background checks for credentials like these. While GAO 
and DHS identified several credentials which can use the same background check 
information, I believe we must take additional steps to reduce duplication of effort 
and the unnecessary repetition of these background checks. We must implement 
common sense reform to ensure efficiency and maximize cost savings — credentialing 
operations should be streamlined by reducing the number of redundant offices and 
procedures. 

I look forward to the testimony of today’s witnesses, and I will be looking for in- 
formation on how we can improve the credentialing process, the use of the card, and 
how we can adapt the use of the document to ensure the security of our nation’s 
ports. 

Thank you, Mr. Ghairman. 

Senator Lautenberg. And thank you, Senator Snowe, for your 
diligence in matters of security for our country, and particularly be- 
cause the state of Maine has so much water access and ports that 
mean a lot. We thank you for your efforts. 
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The questions that have arisen here are obviously a small num- 
ber of the questions that actually exist. And we kind of feel like 
we’re looking at a Rubik’s Cube here. You know, you don’t know 
where to start and quite where to stop. And we’re talking about 
somewhat safer, but I wonder if that can be — if that sentence can 
end — or, that expression can end with “somewhat safer,” because 
I think there’s also larger risk accompanying this because of the 
fraudulent nature of things. 

And I ask, Mr. Pistole, when we know that GAO investigators 
were able to fraudulently obtain TWIG cards, use them for access 
to secure facilities — and these cards can be used to access literally 
thousands of facilities nationwide — so, what’s being done to prevent 
fraudulently obtained cards from being used to access the airports, 
military bases? I think Senator Snowe was going there, as well. 
And can we do something that says, “OK, these cards are good for 
limited use, limited time periods — reenrollment is the question that 
you raised — biometric — I don’t know — things that are visually pro- 
tected. When I hear of the number of ineligibles that wanted to 
sign up for a card, it tells me that there is something really amiss 
in the basic structure. 

And I ask you, any one of you, what — has there been an assess- 
ment of the program of any significance since its origination, some 
years ago? 

Mr. Lord. Sure. We’ve, again, done a large body of work on this. 
I’d like to think we contributed to some better understanding of 
what some of the program’s successes and weaknesses are. And 
when I think about this holistically, we’re trying to apply this pro- 
gram, on a very large scale, in a so-called one-size-fits-all manner. 
I think that when you do something of this magnitude, it’s really 
important to design it very carefully, number one, and, two, make 
sure your staff are well trained in implementing it. In our report, 
that’s essentially what we found wrong, that we found some design 
imperfections; some of the information they collect at the front end 
isn’t acted upon; and some of the security guards and trusted 
agents, which are delegated a large responsibility for making this 
thing successful, they had some lapses. Some of our covert inves- 
tigators used fraudulent documents and the trusted agents should 
have flagged them. I can’t really discuss any of the details, because 
it’s sensitive security information. But, you know, we found some 
holes at the front end and at the back end, when the security 
guards are looking at these things and letting people on their facili- 
ties. 

Senator Lautenberg. I’d almost like to ask that you — on a scale 
of 1 to 10, how comfortable we are with the progress that we’ve 
made, and this is not intended to be accusatory; it’s intended to un- 
derstand better where the problems are. I mean, the problems — we 
keep on, I think, discovering new problems as we move along here. 
And is the design an impossible one to make sense from? Or, 
what — anybody — I — ^you want to volunteer a quick opinion, Mr. Pis- 
tole? 

Mr. Pistole. Sure, Chairman. 

Senator Lautenberg. Admiral Cook? 

Mr. Pistole. No, I think this hearing has identified a lot of the 
challenges in trying to deploy a biometric card to a civilian popu- 
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lation in — on a large-scale basis. And I think, although some 
progress has been made, it is clearly not what anybody intended, 
especially those going back to post-9/11. So, I have my own con- 
cerns. And that’s why I’ve asked for the GAO to do, basically, a — 
just a top-to-bottom review to assess what that return on invest- 
ment is. 

The thing that I do have some comfort in is that we largely know 
about those who are working in ports now, and docks. The fact that 
they have access to a dock doesn’t mean they have access to the 
ship or anything else. I mean, there are obviously multiple layers 
of security, here. What I’m concerned about is the ease of using a 
fraudulent document. We know there’s, you know, tens of thou- 
sands, perhaps 35,000 places in the country you can get a birth cer- 
tificate, hopefully legitimate, but perhaps not. And if that’s a breed- 
er document, that’s a document you’re using to establish your bona 
fides; that makes it very difficult. The social engineering, which 
Mr. Lord referred to, simply having one of his folks — undercover of- 
ficers go in and, you know, say, ”I have an appointment here," even 
though the card doesn’t work, or, ”I need to use the restroom." So, 
that gets to this — to the training of the guards. And so, there — it 
is a complex issue. 

In answer to your question about 1-to-lO, I would put it at a 3 
right now. 

Senator Lautenberg. Either one of you — I’m going to go to my 
collea^es for a second round of questions — in response to my ques- 
tion — it sounds like what we’ve got — we’ve got a new idea: we’ll 
make prisons without bars, and maybe that will help control be- 
havior. I don’t think we’re quite getting there. 

Admiral Cook, do you 

Admiral CooK. Senator, I would say that I’m anxious to move to 
a phase where I believe we’ll provide — we’ll wring out some of the 
uncertainty when we go to more biometrics. And the reason I 
would say I’m anxious is, we have anecdotal evidence, because we 
have a strong network, through our area maritime security com- 
mittees, where we’re in constant contact with the facility security 
officers, the actual people paid, on the waterfront facilities, by their 
companies, to maintain security. And we have feedback that things 
like pilferage and other small crimes have been reduced. I don’t 
have statistical evidence. I’m just saying it’s all anecdotal. So, I 
would like to move past the anecdotes, past the feeling of the area 
maritime security. 

Senator Lautenberg. Well, we agree. 

Admiral CooK. And that — so, that’s where I am. 

Senator Lautenberg. Past the anecdotes. But, I’d like to move 
past the difficulties and the experiences that we’ve had. 

Mr. Lord, before I call on Senator Ayotte, do you have anything 
you want to volunteer, here? 

Mr. Lord. Again, a key program goal — I always like to go back 
to the program goals — there are four key program goals. One of 
them was to positively identify individuals applying for a TWIG. 
It’s difficult to positively identify someone. What they do now is 
negatively identify. And all that means is, they run your finger- 
prints past the FBI criminal records checks, and if there’s not de- 
rogatory information that comes back on that or the other database 
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checks, you’re given a TWIC card. You could say you’re Joe Blow, 
essentially have your fingerprints run, name checked; as long as no 
derogatory information comes back, you could be provided a card. 
And that’s not positively identifying; that’s a negative ID. So, it 
costs more, up front. It’s more rigorous. They have to make a judg- 
ment whether there are additional steps they can take, up front, 
to positively identify someone, like you do with a driver’s license; 
you have to show them your electric bill, show them some proof of 
documentation that you’re a resident in the state with that name. 
There’s more rigor, up front, involved. But, it makes for a better 
system. 

Senator Lautenberg. Senator Ayotte. 

Senator Ayotte. Thank you. Chairman. 

I wanted to ask, as I understand it — and whoever’s most appro- 
priate to answer this question — that part of the screening process 
would be to match it up against the terrorist watch list. And this, 
of course, makes sense, in terms of making sure that those individ- 
uals on the list don’t receive cards. So, that is part of the screening 
process. Is that right? 

Mr. Pistole. Th^at’s correct. Senator. 

Senator Ayotte. And have you ever had a situation where a 
TWIC applicant has actually been on the list — a known or sus- 
pected terrorist? 

Mr. Pistole. Yes. 

Senator Ayotte. Can you give us a sense on how frequently that 
has occurred? 

Mr. Pistole. So — infrequently, fortunately. And the actual num- 
ber is sensitive security information. But 

Senator Ayotte. Right. 

Mr. Pistole. — it’s a small number, out of the 1.8 million. But, 
yes, we do have — and I can give you the exact number — ^but, we do 
have a small number of people who are on the watch list who have 
applied and been denied. 

Senator Ayotte. And if that occurs, is the process denial? 

Mr. Pistole. So, it would probably be denial. But, there may be 
an instance, because of the reason the person’s on the watch list; 
and so we have to go back to the FBI or the intelligence community 
to see why they’re on the watch list. Is there something — because, 
there are all different levels of reasons, whether it’s material sup- 
port, fund raisers, as opposed to bomb throwers. So, there may be 
something in there that would be mitigating. 

Senator Ayotte. So, is there a procedure in place to coordinate 
with other agencies — for example, the FBI — in terms of how you 
deal with someone on the watch list that applies for the TWIC? 

Mr. Pistole. Yes. So, there is. But, in the process of preparing 
for this hearing. I’ve found something that we can improve that I 
don’t want to go into in an open hearing. But, yes, there is a vul- 
nerability there that we need to address, both between us and with 
the FBI. 

Senator Ayotte. Is that something that we could learn about in 
a more appropriate 

Mr. Pistole. Yes, absolutely. 

Senator Ayotte. — classified setting? 

Mr. Pistole. Sure. 
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Senator Ayotte. Because, I think it’s very important. Because, 
obviously, one of the issues we wanted to address, post- 9/11, was 
the coordination among agencies 

Mr. Pistole. Right. 

Senator Ayotte. — and making sure that, if we have that situa- 
tion, that, if we need to create a situation where further intel- 
ligence-gathering has to occur, we’re all working from the same 
page. So, I would really appreciate that answer in a more appro- 
priate setting. 

Mr. Pistole. Absolutely. I’d be glad to do it after this, if you 
have time. But, yes. 

Senator Ayotte. Great. Thank you. I appreciate that. 

I also just wanted to share the concerns, as I understand, that 
have already been raised by my colleagues, and I raised in my 
opening statement, about figuring out a way where the multiple 
trips by the transportation workers to the enrollment centers, par- 
ticularly those that live in areas that aren’t so close to some of 
those centers. Is there a better way to do it? Can we do it in a more 
efficient way? And I know that many of my colleagues asked you 
about that, so I won’t repeat that. But, I would echo their concerns. 

Mr. Pistole. Noted. 

Senator Ayotte. And finally, to the extent you haven’t answered 
this, but if you can help me with it — when you’re in a position 
where DHS is doing multiple screening processes — and you men- 
tioned it in your opening statement — so, one facility, for example, 
could be going through one type of process, and that same facility 
may have to get a screening from you in another process. What is 
it that you are doing to eliminate those redundancies that — ^you 
know, one of the concerns — it’s not just a cost issue of how much 
the redundancies cost on both the applicant and the government 
cost, but also, when you’ve got the right hand and the left hand, 
you can end up in confusion. So, if you could address that. I’d ap- 
preciate it. 

Mr. Pistole. Sure, Senator. So, there are a couple aspects to 
this. One is what we’re doing, in terms of trying to limit the num- 
ber of security threat assessments, the STAs, that would be done 
for somebody who has any type of government-issued ID that gives 
them access to something. So, we — 15 million people, that I’ve men- 
tioned, in the private sector, that we do some type of background 
and credentialing for them — so, do they — if they have, for example, 
a TWIG card, a hazardous material endorsement card, if they’re an 
aviation worker — have access, or something — any number of 
things — and, of course, different things for other components — can 
we use that STA, that security threat assessment, that would apply 
to all of those? So, that’s something that we’re working through, 
just to streamline, make more efficient. 

In terms of the enrollment, I know, between Coast Guard and 
TSA, we have consolidated some centers. So — and I would defer to 
the Coast Guard, in terms of the details of that — where a person 
would be able to go into a TWIG enrollment center and apply for 
something that would be a Coast Guard card. And so 

Senator Ayotte. Can you help me, also, in thinking about this — 
is there one universal standard, or are there multiple standards 
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that — and can we move, in appropriate settings, to one universal 
standard for, obviously, similarly situated settings for threat? 

Mr. Pistole. So, there’s not 

Senator Ayotte. That would seem simpler, from 

Mr. Pistole. Right. 

Senator Ayotte. — a government perspective. 

Mr. Pistole. Yes. And that would be — and it would be good for 
industry in many respects. But, for example, the criteria and 
standards that would be used — that we use on a national level for 
TWIG cards is a different standard than individual — 450 airports, 
for the — what they call the SIDA, the S-I-D-A, access — so — which 
are issued locally by each airport — and so, there — there’s not con- 
stituency there. And then — so, there are a number of issues that 
we could peel back on that that would be helpful, that we are mov- 
ing to try to address. There are a number of challenges there. 

Senator Ayotte. Well, you know, I appreciate that this is chal- 
lenging. And I hope that, to the extent we can, we do move to a 
universal screening process for those that are in the same category. 
I can recognize that there may be additional screening for those in 
different categories, depending on the amount of risk that could be 
incurred, based on the activity. 

Mr. Pistole. Exactly. 

Senator Ayotte. But, it seems to me that that would be a better 
way to rank it and rate it, based on risk of activity, with screening, 
so that we could use our resources more efficiently in a universal 
standard. 

Mr. Pistole. Agreed. Agreed. 

Senator Ayotte. So 

Senator Lautenberg. The record will be open for further submis- 
sions. 

Senator Ayotte. Great. 

Thank you very much. 

Senator Lautenberg. I would ask a question, here, related to 
something Senator Ayotte was talking about, about trying to define 
risks regarding the individual who’s applying for the card. But, I 
go further, and it’s said, and I’m sure you’re all aware, that New 
Jersey is home to the most at-risk area for a terrorist attack in the 
United States. The FBI said, the distance from the Newark Airport 
to the harbor is the most dangerous 2 miles in the country for a 
terrorist attack. There are 12 million people within a short radius 
of that area. So, shouldn’t the TSA, Mr. Pistole — and either one of 
you, as well — prioritize these high-risk areas for TWIG funding and 
implementation, and move on these things in some kind of priority 
basis? 

Mr. Pistole. Ghairman, I think it — ^yes, exactly. And the — part 
of this fits in with what we are doing with what we’re describing 
as a risk-based security initiative, and it applies as much to avia- 
tion as anything. But, that — this fits within that — that we expedite 
those in those high-risk areas, recognizing, similar to the Transpor- 
tation Security Grant Program, that there are a lot of different 
opinions about how those funds should be allocated. There’s also 
different priorities, depending on what outcome you’re trying to 
achieve. So, clearly, those who have access to the most sensitive 
high-risk areas should be expedited, and we’ll take that back. 
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Senator Lautenberg. Thank you. 

This hearing is to he adjourned. And we will keep the record 
open. And I ask that, within some degree of promptness, that re- 
sponses he given in writing. 

And I thank you. Senator Ayotte, for being here and for your 
questions. 

Thank all of you. 

[Whereupon, at 4 p.m., the hearing was adjourned.] 




APPENDIX 


Response to Written Questions Submitted by Hon. Bill Nelson to 
Hon. John S. Pistole 

Question 1. What specific efforts have been made to partner with the states to 
ensure that TSA is granted access to states’ criminal records, and guarantee that 
important information is not being neglected from background checks? 

Answer. The Department of Homeland Security, including the Transportation Se- 
curity Administration (TSA), recognizes that there is additional information at the 
state level not available currently via the criminal history records information pro- 
vided from the Department of Justice, Federal Bureau of Investigation (FBI). 

TSA has worked with the states, FBI and the National Crime Prevention and Pri- 
vacy Compact Council to convene working groups to identify possible solutions to 
receive data directly from other states and to identify a standard, automated, cost 
efficient and effective solution. TSA discovered multiple problems with obtaining in- 
formation directly from the states: 

a. The states have var3dng data systems, legal and practical constraints, and 
TSA would likely be required to develop and build a unique solution for each 
state in order to request data directly for each Security Threat Assessment 
(STA) case. To minimize these problems, TSA has discussed with the states an 
option of defining one common technical solution through which states could 
send their data directly to TSA. TSA is pursuing this effort as part of the Trans- 
portation Threat Assessment and Credentialing (TTAC) Infrastructure Mod- 
ernization (TIM) program, which was established to standardize and consolidate 
TSA’s security threat assessment systems. 

b. Because many transportation workers have resided in and continually travel 
across multiple states, requesting and receiving state level data from only an 
applicant’s state of residence or enrollment may miss criminal history in other 
states. 

c. Some states may require additional fees to request and receive information 
directly, rather than using the FBI’s system. Most TSA STA programs are pri- 
marily funded via user fees and this additional cost could dramatically increase 
the fees charged to workers. 

For all these reasons, TSA has determined that using the established FBI Inter- 
state Identification Index (III) system to request and receive data from all states 
would be the most effective and efficient solution. State level criminal history data 
may be accessed via the HI system managed by the FBI. The extent of access to 
state level data is based on the purpose for the data request; however, a program 
must be deemed to have a criminal justice purpose in order to receive the full 
breadth of Criminal History Records Information (CHRI) available from all 50 states 
and the District of Columbia. Many states may not upload all available information 
into the FBI biometric system made available to TSA today, and many states do 
not provide their III records for “non-criminal justice” activities. 

The Department of Justice has deemed that TSA’s security threat assessments for 
TWIC and other similar programs are non-criminal justice activities. As a result, 
TSA is effectively provided the same access as an employer, and does not receive 
all available information. Additionally, TSA is not authorized to request subsequent 
CHRI for the purpose of conducting recurrent criminal background checks without 
a submission of new fingerprints from the individual. 

To provide the most robust recurrent vetting against criminal history records, 
TSA needs full access to CHRI similar to the access granted to criminal justice 
agencies and law enforcement officers. TSA, in coordination with the Department 
of Homeland Security (DHS), has and will continue to work with the FBI, the Na- 
tional Crime Prevention and Privacy Compact Council, and states to expand access 
to the CHRI. 
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Question 2. The TWIC program currently does not make an effort to ensure that 
its holders are legally permitted to work under our immigration laws. Our immigra- 
tion system is largely administered by the same department in which TSA is con- 
tained, the Department of Homeland Security, and it’s no secret that individuals are 
permitted to work for different lengths of time, and that visas expire. Why doesn’t 
the TWIC program reflect the reality of our immigration laws? 

Answer. The design of the Transportation Worker Identification Credential 
(TWIC) vetting program seeks to ensure consistency with current immigration laws, 
including the need to accommodate visa holders who receive an extension to their 
stay. 

TWIC leverages the capabilities of the Department of Homeland Security (DHS) 
as related to immigration. TWIC applicants who are not U.S. citizens undergo an 
immigration check using the U.S. Citizenship and Immigration Services (USCIS) 
Systematic Alien Verification for Entitlements (SAVE) data base. This check reviews 
an applicant’s immigration status using TWIC-eligible immigration categories, de- 
veloped as part of the rulemaking effort, that include visa categories that relate to 
working in the maritime industry. If the immigration check reveals information 
demonstrating that the individual is not in a TWIC-eligible immigration category, 
the individual is determined to be ineligible. If the check indicates that the indi- 
vidual may be in the U.S. illegally or improperly, the individual is determined ineli- 
gible and the Transportation Security Administration (TSA) coordinates with immi- 
gration authorities to take appropriate action. 

Input from industry and stakeholders strongly suggested that linking the TWIC 
expiration date to a non-U.S. citizen’s visa expiration date would be problematic. In- 
dustry feedback focused on minimizing the disruption to ports and the flow of com- 
merce when a non-U.S. citizen’s visa date was extended, as frequently happens. 
Electronic security features on the current TWIC make it impossible to extend the 
expiration date to reflect the extension of the visa. Furthermore, the TWIC expira- 
tion date is printed on the card. If the TWIC expiration was tied to the original visa 
expiration, the TWIC holder would have to assume the cost and process to get a 
new TWiC each time the visa was extended, or each time the individual came to 
the U.S. to conduct business. The ports would incur the economic cost of the individ- 
ual’s inability to access secure areas. 

As an alternative, the determination was made that individual employers — at the 
local level — should track the visa information on their non-immigrant employees, as 
they are required to do by law already, independent of TWIC. Per the TWIC regula- 
tion, individual TWIC holders are responsible for returning their TWICs if they no 
longer meet eligibility requirements and employers are responsible for collecting an 
individual’s TWIC upon the expiration of his/her work visa. 

TSA believes believe the current process strikes a reasonable balance between en- 
suring only those who are in lawful status to work in the U.S. have access to regu- 
lated facilities and the need to accommodate business needs when visa holders re- 
ceive an extension to their stay. Changing the requirement for the TWIC expiration 
date would entail significant changes to the current system and processes, including 
close integration with other DHS components and the Department of State, as well 
as oblige the TWIC holder to incur additional costs to obtain new credentials cor- 
related with the duration of the individual’s visa. 

Question 3. The contractors running the TWIC program have only denied one ap- 
plication that came under their discretionary review authority. What sort of over- 
sight is there for the 460,786 other applicants who were flagged by the first check, 
but ultimately granted TWICs? Is there any follow up to insure that the proper 
judgment was made about those individuals? 

Answer. The Transportation Worker Identification Credential (TWIC) program 
employs contractors for the TWIC enrollment and operations, and separate contrac- 
tors to assist with the high volume of TWIC applications to review background 
check information. The Transportation Threat Assessment and Credentialing 
(TTAC) staff makes the vast majority of initial denial decisions and all final denial 
decisions. The majority of the 460,786 approvals listed were made by the contractor 
after review of the background check information. TTAC provides a four-phased 
training program to all new adjudicators, both contractors and Federal employees, 
during which time the trainees are constantly evaluated. In order for a trainee to 
obtain status as a self-approver, he/she must pass a test administered by the gov- 
ernment. After a trainee has been approved to be a self-approver, the government 
maintains a quality assurance process, where 5 to 10 percent of each self-approver’s 
decisions are randomly reviewed each day to identify potential errors. 

It is important to note that the statement from (JAO concerning the adjudicator’s 
denial of “one application that came under their discretionary review authority” re- 
lates to a sentence in the TWIC regulations (49 CFR 1572.107(b)) that permits the 
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Transportation Security Administration (TSA) to disqualify an applicant for “exten- 
sive foreign or domestic criminal convictions; a conviction for a crime not listed in 
1572.103; or a period of foreign or domestic imprisonment that exceeds 365 consecu- 
tive days.” TSA created this provision to cover the unusual circumstance of an appli- 
cant who appeared to pose a distinct “terrorism security risk” called for by the stat- 
ute (46 U.S.C. 70105), but did not have serious criminal convictions listed on the 
specific list of disqualifying offenses. TSA never intended this provision to cover 
petty or frequent violators of the criminal code who, while perhaps untrustworthy 
and deceitful, did not pose a “terrorism security risk.” TSA intended for the list of 
criminal disqualifiers and periods for disqualification that are set forth by statute 
and regulation to be the primary list we would use to evaluate an applicant as to 
criminal history. (In fact, as of March 2011 TSA has denied TWICs to 35,661 out 
of 1.8 million applicants. 


Response to Written Questions Submitted by Hon. Frank R. Lautenberg to 

Hon. John S. Pistole 

Question 1. It was discovered last week that A1 Qaeda was planning an attack 
on a U.S. rail line. To date, TSA’s efforts on rail security have been delayed, incom- 
plete and nearly nonexistent compared to aviation security. In light of this new plot, 
what immediate steps are you taking to increase rail security measures? 

Answer. 

Mass Transit and Passenger Railroad Seeurity 

In response to the news that A1 Qaeda was planning an attack on a U.S. rail line, 
the Transportation Security Administration (TSA) held teleconference calls with the 
Transit Policing and Security Peer Advisory Group (PAG) on Monday, May 2, 2011, 
and Friday, May 6, 2011. The PAG was established under the Sector Coordinating 
Council structure and serves as a vital component for the mass transit industry. 

On the May 2 call, TSA encouraged all public transportation agencies to ramp up 
visible deterrence measures, and promoted the value of conducting unscheduled Re- 
gional Alliances including Local, State, and Federal Effort (RAILSAFE) operations. 

During the May 6 call, the PAG members discussed increased rail security meas- 
ures that their respective public transportation systems were implementing. Such 
measures include: 

• Maintaining high levels of K9 units deployed, including vapor-wake teams on 
Amtrak trains 

• Special hriefings of engineers/track employees to emphasize reporting of sus- 
picious activity along Right of Way 

• Implementing special operations deplo 3 mients 

• Participating in Visible Intermodal Prevention and Response (VIPR) Team mis- 
sions in critical locations 

• Deploying Anti-Terrorism Teams 

• Sending out awareness notices urging vigilance to transit police and employees 

• Emphasizing the “See Something, Say Something” campaign 

• Adding extra police patrols over the weekend 

In addition to the independent security actions taken above, the public transpor- 
tation agencies across the United States conducted a RAILSAFE exercise on Tues- 
day, May 5, 2011, which was stood-up in less than 24 hours, and involved over 90 
agencies across 29 states and the District of Columbia, incorporating over 1,000 offi- 
cers. 

Going forward, TSA will continue Security Awareness messages and Operational 
Deterrence Programs, which include training, public awareness, K9 units, and VIPR 
Teams. The focus will shift from extended periods of time to shorter periods, such 
as months or weeks. TSA encourages continuing RAILSAFE operations on a random 
basis to prepare for various security threats. 

Freight Rail 

For nearly a decade, the freight rail industry, with guidance and assistance from 
TSA, has taken steps to reduce vulnerabilities within the freight rail network, spe- 
cifically, the vulnerability of potentially dangerous cargoes. The industry has sought 
to raise the baseline of security by emphasizing employee training and awareness, 
and by instituting fundamental changes to daily processes that emphasize deter- 
rence and increase the likelihood of detection of potential acts of terrorism. 
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Regarding the most recent intelligence that A1 Qaeda had plans to attack trains 
or railroad infrastructure, the information garnered was non-specific and general in 
nature. As such, TSA immediately communicated with the freight railroad industry 
and advised them to continue a state of vigilance and awareness. The success of this 
increased vigilance was evidenced by the increase in reporting of suspicious inci- 
dents detected throughout the railroad industry. 

In summary, TSA will continue to work closely with the freight railroad industry 
to ensure appropriate processes are in place that will enable them to meet emerging 
threats and continue to improve the baseline of security in the industry. 

Question 2. The TWIG program has more than one point eight (1.8) million people 
enrolled across the country, from crane operators to Alaskan fishermen. All of these 
applicants have access to secure facilities throughout the United States with their 
TWIG cards. Plus, the current enrollment process doesn’t even check to see if these 
applicants legitimately need access to secure facilities. Are you confident that the 
TWIG program is making our ports more secure? 

Answer. The Transportation Security Administration (TSA) is confident that the 
Transportation Worker Identification Gredential (TWIG) program has made the 
United States’ ports more secure. Although the 1.8 million workers who have been 
issued TWIGs are eligible to be granted unescorted access to secure areas of regu- 
lated facilities and vessels, they are not entitled or allowed to enter secure areas 
of facilities and vessels without the permission of the owners or operators of those 
facilities. 

Prior to the implementation of TWIG, the identity document requirements for ac- 
cess to secure areas of ports and vessels were dependent on each facility’s Facility 
Security Plan. Facilities often accepted a number of documents such as a driver’s 
license, passport, state ID, port/facility specific security card, or a Z-card (now Mer- 
chant Mariner Gredential). Without uniform credential issuance processes, most fa- 
cilities were unable to positively authenticate the identity of an individual or deter- 
mine the authenticity of the identity documents presented. There also were no uni- 
versal methods for determining if a once-valid credential holder were no longer eligi- 
ble for access privileges, or to effectively revoke an individual’s access permissions 
or credentials. TWIG enhances maritime security by providing one standardized bio- 
metric credential, removing the need to have security personnel discern the authen- 
ticity of multiple identity documents. In addition, TWIG standardized the security 
threat assessment (STA) conducted on workers in these secure areas to include com- 
prehensive terrorism, criminal history, and immigration checks. 

In advance of a rule requiring reader use, ports are now made more secure by 
readers installed and in use through the recently completed TWIG reader pilot; the 
voluntary installation and use of readers at many facilities; and the more than 200 
portable readers used by Goast Guard personnel to check TWIGs during routine fa- 
cility inspections. The use of these readers confirms that a valid TWIG is present, 
that it has not expired, and that it has not been revoked. In the biometric mode, 
the worker’s identity is confirmed. Port security will continue to be enhanced as 
more electronic readers are put into use at secure facilities and vessels around the 
country. 

Question 3. When the TWIG program expanded nationwide, most cards were 
issued within a short period of time — and most of those cards are set to expire in 
2012. What is TSA doing to work with labor and industry to prepare for the expira- 
tion of the current credentials? 

Answer. The Transportation Worker Identification Gredential (TWIG) enrollments 
began in October 2007 when enrollment centers were phased in nationwide. Over 
the eighteen month period from October 2007 until the national compliance date of 
April 15, 2009, 1.1 million people applied for a TWIG. The Security Threat Assess- 
ment and associated TWIG for each applicant must be renewed every 5 years, for 
the credential to remain valid. Therefore, the expiration dates for the initial popu- 
lation of TWIG holders is spread out from October 2012 to April 2014 (5 years after 
the national compliance date). Preparations are being made in advance of the im- 
pending initial five-year renewal cycle. The Transportation Security Administration 
(TSA) is in the process of developing policies and procedures that will ensure a 
smooth renewal phase for the transportation workers who rely on this card to do 
their jobs. TSA’s enrollment services contract provides for increased hours and days 
of operation, and additional equipment and personnel to meet fluctuating demands 
for service. These procedures both minimize the operational impact at TWIG enroll- 
ment centers, and ensure that individuals who have completed the redress process 
are not required to repeat the process when no new criminal information is found. 
This approach will help expedite adjudication during the expected surge in renewal 
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enrollments. Throughout this process, TSA will continue to engage the stakeholder 
community in order to minimize the impact of the renewal cycle on affected workers. 


Response to Written Questions Submitted by Hon. Jim DeMint to 
Hon. John S. Pistole 

Question 1. From GAO’s “TWIG Security Review” (GAO-11-657): 

“While TSA does not track metrics on the number of TWICs provided to appli- 
cants with specific criminal offenses not defined as disqualifying offenses, as of Sep- 
tember 8, 2010, the agency reported 460,786 cases where the applicant was ap- 
proved, but had a criminal record based on the results from the FBI. This rep- 
resents approximately 27 percent of individuals approved for a TWIG at the time. 
In each of these cases, the applicant had either a criminal offense not defined as 
a disqualifying offense or an interim disqualifying offense that was no longer a dis- 
qualification based on conviction date or the applicant’s release date from incarcer- 
ation. Gonsequently, based on TSA’s background checking procedures, all of these 
cases would have heen reviewed by an adjudicator for consideration as part of the 
second-level background check because derogatory information had been identified. 
As such, each of these cases had to be examined and a judgment had to be made 
as to whether to deny an applicant a TWIG based on the totality of the offenses 
contained in each applicant’s criminal report. 

While there were 460,786 cases where the applicant was approved, but had a 
criminal record, TSA reports to have taken steps to deny 1 TWIG applicant under 
this authority.” 

Does the TSA track metrics on the number of TWIGs provided to applicants with 
specific offenses defined as disqualif 3 dng offenses? If so, how many TWiCs have been 
provided to such applicants? Is it accurate to conclude that an applicant with spe- 
cific offenses defined as disqualifying offenses may only be provided a TWIG after 
receiving a waiver? 

Answer. As of March 2011, TSA has enrolled and vetted over 1.8 million maritime 
workers. As a result of DHS’s rigorous vetting process, 35,661 individuals were de- 
nied from receiving a TWIG. To clarify the quoted statement from the GAO report 
in the second paragraph of the question, that only 1 applicant has been denied a 
TWIG “under this authority”, the authority is the 49 GFR 1572.107(b) provision of 
the TWIG regulation. This provision permits the Transportation Security Adminis- 
tration (TSA) to disqualify an applicant for “extensive foreign or domestic criminal 
convictions; a conviction for a crime not listed in 1572.103; or a period of foreign 
or domestic imprisonment that exceeds 365 consecutive days.” TSA created this pro- 
vision to cover the unusual circumstance of an applicant who appeared to pose a 
distinct “terrorism security risk” called for by the statute (46 U.S.G. 70105), but did 
not have serious criminal convictions listed on the specific list of disqualifying of- 
fenses. TSA never intended this provision to cover petty or frequent violators of the 
criminal code who, while perhaps untrustworthy and deceitful, did not pose a “ter- 
rorism security risk.” TSA intended for the list of criminal disqualifiers and periods 
for disqualification that are set forth by statute and regulation to be the primary 
list we would use to evaluate an applicant as to criminal history. 

TSA tracks metrics on the number of Transportation Worker Identification Gre- 
dentials (TWIGs) provided to applicants, with specific offenses defined as disquali- 
fying, who apply for an appeal or waiver. TSA approved 44,444 appeal requests and 
7,962 waiver requests as of June 5, 2011, that involve disqualifying criminal of- 
fenses. 

An applicant, with specific offenses defined as disqualifying may also be provided 
a TWIG after approval of his/her request for an appeal where the applicant is able 
to prove that the disqualifying offense is out of scope (conviction is greater than 7 
years old and release from incarceration on that disqualifying offense is greater 
than 5 years old), the conviction was later reversed on appeal, the applicant is not 
the person who committed the offense, or other fact that shows that the disquali- 
fying offense standards have not been met. 

Question 2. How many applicants with the following criminal offenses as part of 
their backgrounds have been issued TWIGs through a waiver process? 

a. A crime involving a transportation security incident. A transportation security 
incident is a security incident resulting in a significant loss of life, environmental 
damage, transportation system disruption, or economic disruption in a particular 
area, as defined in 46 U.S.G. §70101. The term economic disruption does not include 
a work stoppage or other employee-related action not related to terrorism and re- 
sulting from an employer-employee dispute. 

Answer. 4 waivers approved 
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Question 2b. Improper transportation of a hazardous material under 49 U.S.C. 
§5124, or a state law that is comparable. 

Answer. 22 waivers approved 

Question 2c. Unlawful possession, use, sale, distribution, manufacture, purchase, 
receipt, transfer, shipping, transporting, import, export, storage of, or dealing in an 
explosive or explosive device. An explosive or explosive device includes, but is not 
limited to, an explosive or explosive material as defined in 18 U.S.C. §§232(5), 
841(c) through 841(f), and 844(j); and a destructive device, as defined in 18 U.S.C. 
§ 921(a)(4) and 26 U.S.C. § 5845(f). 

Answer. All crimes involving explosives, explosives devices, and/ or other lethal 
devices are classified in the same manner. 89 waivers approved 
Question 2d. Murder. 

Answer. 564 waivers approved 

Question 2e. Making any threat, or maliciously conve 3 dng false information know- 
ing the same to be false, concerning the deliverance, placement, or detonation of an 
explosive or other lethal device in or against a place of public use, a state or govern- 
ment facility, a public transportations system, or an infrastructure facility. 

Answer. All crimes involving explosives, explosives devices, and/ or other lethal 
devices are classified in the same manner. Question c. and e. are tracked as one 
metric with a total of 89 waivers approved for all explosive crimes. 

Question 2f. Violations of the Racketeer Influenced and Corrupt Organizations 
Act, 18 U.S.C. § 1961, et seq., or a comparable state law, where one of the predicate 
acts found by a jury or admitted by the defendant, consists of one of the crimes list- 
ed in paragraph 49 C.F.R. § 1572.103(a). 

Answer. All crimes involving Violations of the Racketeer Influenced and Corrupt 
Organizations Act are classified in the same manner. 26 waivers approved 
Question 2g. Attempt to commit the crimes in paragraphs listed under 49 C.F.R. 
§ 1572.103(a)(1) through (a)(4). 

Answer. Attempts to commit the crimes in paragraphs listed under 49 C.F.R. 
§ 1572.103(a)(1) through (a)(4) are not tracked separately. 

Question 2h. Conspiracy or attempt to commit the crimes in 49 C.F.R. 
§ 1572.103(a)(5) through (a)(10). 

Answer. Conspiracy or attempt to commit the crimes in 49 C.F.R. § 1572.103(a)(5) 
through (a)(10) are not tracked separately. 

Question 2i. Unlawful possession, use, sale, manufacture, purchase, distribution, 
receipt, transfer, shipping, transporting, delivery, import, export of, or dealing in a 
firearm or other weapon. A firearm or other weapon includes, but is not limited to, 
firearms as defined in 18 U.S.C. § 921(a)(3) or 26 U.S.C. § 5845(a), or items con- 
tained on the United States Munitions Import List at 27 C.F.R. §447.21. 

Answer. 942 waivers approved 
Question 2j. Extortion. 

Answer. 6 waivers approved 

Question 2k. Dishonesty, fraud, or misrepresentation, including identity fraud and 
money laundering where the money laundering is related to a crime described in 
49 C.F.R. § 1572.103(a) or (b). Welfare fraud and passing bad checks do not con- 
stitute dishonesty, fraud, or misrepresentation for purposes of this paragraph. 
Answer. 922 waivers approved 
Question 21. Bribery. 

Answer. 12 waivers approved 
Question 2m. Smuggling. 

Answer. 9 waivers approved 
Question 2m. Immigration violations. 

Answer. 0 

Question 2o. Distribution of, possession with intent to distribute, or importation 
of a controlled substance. 

Answer. 2,968 waivers approved 
Question 2p. Arson. 

Answer. 61 waivers approved 

Question 2q. Kidnapping or hostage taking. 

Answer. 24 waivers approved 

Question 2r. Rape or aggravated sexual abuse. 

Answer. 281 waivers approved 
Question 2s. Assault with intent to kill. 

Answer. 4 waivers approved 
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Question 2t. Robbery. 

Answer. 552 waivers approved 

Question 2u. Fraudulent entry into a seaport as described in 18 U.S.C. § 1036, or 
a comparable state law. 

Answer. 0 waivers approved 

Question 2v. Violations of the Racketeer Influenced and Corrupt Organizations 
Act, 18 U.S.C. § 1961, et seq., or a comparable state law, other than the violations 
listed in paragraph 49 C.F.R. § 1572.103(a)(10). 

Answer. All crimes involving Violations of the Racketeer Influenced and Corrupt 
Organizations Act are classified in the same manner. Question f. and v. are tracked 
as one metric with a total of 26 waivers approved for all RICO crimes. 

Question 2w. Conspiracy or attempt to commit the interim disqualifying felonies. 

Answer. Conspiracy or attempt to commit interim disqualifying felonies are not 
tracked separately. 

Question 3. From GAO’s “TWIC Security Review” (GAO-11-657): 

“TSA regulations provide that in determining whether to grant a waiver, TSA will 
consider: (1) the circumstances of the disqualifying act or offense; (2) restitution 
made by the applicant; (3) any Federal or state mitigation remedies; (4) court 
records or official medical release documents indicating that the applicant no longer 
lacks mental capacity; and (5) other factors that indicate the applicant does not pose 
a security threat warranting denial of a hazardous materials endorsement or 
TWIC.” 

These criteria generally, and (5) in particular, seem to grant broad latitude to 
TSA to grant TWICs to convicted felons. Please detail for the committee the guid- 
ance you have provided to your staff regarding the granting of waivers for disquali- 
fied individuals. 

Answer. The waiver review regulation is designed to provide a framework, for 
subjective assessment of whether the Transportation Worker Identification Creden- 
tial (TWIC) applicant has overcome the presumption that he/she poses a security 
risk, for reviewing the totality of the TWIC applicant’s criminal background and cir- 
cumstances. The Transportation Security Administration (TSA) has maintained ex- 
tensive communication between TSA’s Office of Chief Counsel (OCC) and Office of 
Transportation Threat Assessment and Credentialing (TTAC) to develop guidelines 
and training materials to accomplish waiver reviews and make waiver determina- 
tions. Each waiver request is assessed by obtaining and reviewing information from 
the applicant as well as pertinent law enforcement, legal, business, and community 
officials. Once sufficient material has been obtained and reviewed, a recommenda- 
tion to grant or deny the waiver is made to the appropriate TTAC decisionmaking 
official, and the TTAC official makes the waiver decision. 

According to 46 U.S.C. 70105(c)(2), TSA must develop a waiver program and give 
“consideration to the circumstances of any disqualifying act or offense, restitution 
made by the individual, Federal and State mitigation remedies, and other factors.” 

TSA proposed a list of disqualifying offenses and did not limit the crimes that are 
eligible for a waiver in its initial notice of proposed rulemaking, which was subject 
to broad public comment, and included consultation with the Department of Justice 
as part of the rulemaking process. Many comments asserted that criminal history 
generally does not give rise to the “terrorism security risk,” as called for by the stat- 
ute, and the list of disqualifying offenses should be much shorter than TSA’s pro- 
posed list. Many feared that too many workers would be disqualified, and commerce 
and small businesses would suffer significantly as a result. Thus, TSA balanced a 
variety of important legal and policy issues in arriving at the current policy. 


Response to Written Questions Submitted by Hon. Roger F. Wicker to 
Hon. John S. Pistole 

Question 1. What steps were taken to identify security vulnerabilities in the 
TWIC program before it was implemented? 

Answer. The Transportation Worker Identification Credential (TWIC) program fol- 
lowed the principle of establishing a chain-of-trust from the initial enrollment of an 
applicant to delivery of their TWIC. Best practices from other credentialing pro- 
grams were reviewed and adopted as appropriate. Integrating document authen- 
ticating scanner technology to assist in identifying counterfeit documents, such as 
driver licenses and passports, and comparing a new applicant’s fingerprints to those 
of previous applicants, to catch an attempt to enroll more than once, are two exam- 
ples of adopting best practices from other programs. 
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The secure card technology and issuance procedures for a TWIC are very similar 
to the standards developed for government workers and contractors, specified for the 
Personal Identity Verification (PIV) card. The physical security features on the card 
meet the highest levels of counterfeit resistance specified by the Government. The 
procedures for issuing the TWIC ensure that the card is only delivered to its rightful 
holder. 

Question 2. The information encoded in the TWIC cards includes sensitive infor- 
mation about the cardholders, including information that could be used to profile 
cardholders. What steps are taken to protect this information from being leaked to 
third parties? 

Answer. Protecting personal privacy is a key component of the Transportation 
Worker Identification Credential (TWIC) program’s mission statement. TWIC in- 
cludes limited personal information contained on the card. The TWIC contains only 
three elements of personal information: name, facial photograph, and fingerprint 
templates for two fingerprints. The cardholder’s name is printed on the card and 
encoded on the Integrated Circuit Chip (ICC) so that it may be freely read by a card 
reader. The facial photograph is also printed on the card and encoded on the ICC. 
However, it is encoded on the ICC such that it is protected from being viewed by 
a card reader without a Personal Identification Number (PIN) — selected by, and 
known only to, the cardholder. The fingerprint templates are stored in two locations 
on the card to facilitate use by either a TWIC reader or a Personal Identity 
Verification card reader. In the first case, the algorithm is encrypted to prevent dis- 
closure of the template if an attempt is made to “skim” {i.e., the practice of inter- 
cepting information from a smart card using a device without the knowledge of the 
card holder) the card using radio-frequency technology. To decrypt the algorithm, a 
cardholder must physically “swipe” or insert his/her card into a reader. Thus, an un- 
encrypted fingerprint template cannot be obtained without the cardholder’s action. 
In the second case, the algorithm is available only after entering a PIN. 

Note: A fingerprint template is a compact digital representation of distinct charac- 
teristics derived from a fingerprint image. Fingerprint templates are used as the 
basis for comparison during biometric authentication. 

Question 3. After the Agency addresses the problems cited by the GAO report, 
how will it evaluate those remediation steps to determine that they close the gaps 
the GAO identified? 

Answer. The Transportation Security Administration (TSA) is currently working 
to initiate the recommended controls assessment of the Transportation Worker Iden- 
tification Credential (TWIC) program. As part of this assessment, a method will be 
established for each control enhancement that defines how TSA will monitor the ef- 
fectiveness of the change. While the evaluation technique will depend on the remedi- 
ation method, TSA plans to continue unannounced system and operational audits 
regarding key security areas. In addition, reporting mechanisms will be created that 
will assist TSA in ensuring that any new security procedures are being followed. 

Question 4. Robust and effective cybersecurity and the protection of freight infor- 
mation systems are important elements in port security for the United States. 
Among other important goals of port security are the ability to reliably and economi- 
cally detect weapons of mass destruction that may be hidden in containers and 
cargo. Additionally it is important to verify the trustworthiness of foreign shippers. 
The compromise of data and information systems that relate to these vulnerabilities 
would represent critical risks to national security. Has the cybersecurity of port se- 
curity systems, and related freight information, been addressed? 

Answer. Yes. All U.S. Customs and Border Protection (CBP) systems, including 
port security systems, abide by the Federal Information Security Management Act 
(FISMA) of 2002. FISMA requires each Federal agency to develop, document, and 
implement an agency-wide program to provide information security for the informa- 
tion and information systems that support the operations and assets of the agency. 
CBP has developed a robust Certification and Accreditation program to align with 
the goals and objectives of FISMA. Additionally, the Security and Technology Policy 
Branch ensures that port security systems align with DHS Sensitive Systems Policy 
Directive 4300A and CBP Information Systems Security Policies and Procedures 
Handbook 1400-05D. 

The National Cyber Security Division (NCSD), within the National Protection and 
Program Directorate’s Office of Cybersecurity and Communications, is working with 
its public and private sector partners to address industrial control systems security 
and general cybersecurity at port and shipping facilities. Its Control Systems Secu- 
rity Program (CSSP) provided resources to conduct high-level assessments in Bos- 
ton, Houston, and Norfolk. The assessment reports are still in development. Using 
the Cyber Security Evaluation Tool, CSSP will be conducting evaluations at ports 
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and terminals located at the top ten facilities, based on a ranking by the Depart- 
ment of Transportation’s Bureau of Transportation Statistics, as well as Maersk 
Shipping. In 2009, CSSP conducted several evaluations of freight rail facilities, as 
well as a port facility in Saipan, Commonwealth of the Northern Mariana Islands. 

Question 5. What evaluations, assessments, and tests have been performed to de- 
termine whether other port security systems under the agency’s purview, such as 
freight information systems, can be compromised as readily as the GAO was able 
to with the TWIC program? 

Answer. CBP employs a defense-in-depth approach to security. As a component 
of FISMA, a detailed and thorough Security Test and Evaluation (ST&E) of port se- 
curity systems is conducted. Testing includes personal interviews, scans of 
workstations, websites and data bases, and a physical site assessment to find and 
mitigate potential vulnerabilities. Additionally, CBP site risk assessments are per- 
formed to evaluate the site’s security posture. Risk assessments are performed con- 
tinuously throughout the calendar year. Each port security system also has a dedi- 
cated Information Systems Security Officer (ISSO) who handles day-to-day security 
for the system. ISSO duties include daily/weekly log file examination, review of the 
CBP Security Operations Center monthly enterprise vulnerability scans, and over- 
sight of configuration management. 

NCSD’s Critical Infrastructure Protection — Cyber Security (CIP-CS) program is 
in discussions with the Maritime Sector Specific Agency (U.S. Coast Guard) to scope 
a Maritime Sector-wide cybersecurity risk assessment. This assessment would focus 
on identifying and assessing risks to categories of cyber critical infrastructure that 
support Maritime Sector critical functions. CIP-CS is conducting this work in sup- 
port of the critical infrastructure and key resources cross-sector community to iden- 
tify cyber critical infrastructure and support sector-wide approaches to cybersecurity 
risk management. 


Response to Written Questions Submitted by Hon. Frank R. Lautenberg to 
Rear Admiral Kevin Cook 

Question 1. The Coast Guard uses a risk analysis model to inform decisions on 
how best to secure our nation’s ports and allocate limited resources. Could the Coast 
Guard model be applied to TWIC to assess its effectiveness and to enhance security? 

Answer. The Coast Guard Maritime Security Risk Analysis Model (MSRAM) is a 
terrorism risk analysis tool and process used by Coast Guard analysts across the 
nation to perform detailed risk analysis for their areas of responsibility. The results 
of this process are used to support a variety of risk management decisions at the 
strate^c, operational, and tactical levels. 

During the initial rollout of TWIC, MSRAM data was used as part of a risk anal- 
ysis approach in developing TWIC reader requirements in the maritime sector, and 
MSRAM will continue to provide risk analysis support to TWIC. However, since 
MSRAM is a risk analysis tool and not designed or capable of being used as a meas- 
ure of effectiveness, it is not an appropriate model to assess the effectiveness of 
TWIC. 

Question 2. It has been more than 9 years since the TWIC program was created, 
but ports still do not have readers for the cards. Instead, they rely on visual 
verification, which can be more susceptible to fraud. How much will it cost to install 
readers at ports across the country and who is expected to pay for it? 

Answer. The Department of Homeland Security managed the TWIC pilot through 
the joint participation of TSA and the Coast Guard. The Coast Guard plans on using 
data from the TWIC Pilot Program, along with other studies and reader vendor 
data, to estimate the costs to fully implement the final card reader phase of the 
TWIC program. The Coast Guard is working on publishing a Notice of Proposed 
Rulemaking in the Federal Register that will present estimates of the costs to install 
readers at affected port facilities and present the number and types of affected fa- 
cilities that will need to install readers. The cost of readers, as well as any nec- 
essary installation, will be incurred by the affected facilities. The ports may apply 
for grants to fund installation. 

TWIC Projects are eligible for funding under the FEMA Port Security Grant Pro- 
gram (PSGP). TWIC related projects have been specifically funded since EY06 or 
earlier and identified as a PSGP priority since FY07. TWIC Readers and associated 
equipment have been specifically identified as the major component of over $88M 
of PSGP funded projects since FY06. Project size, scope, and costs vary greatly 
among ports, and TWIC projects may typically include readers, cameras, fencing, 
gates, lighting, and associated installation costs as part of the overall project. 
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Question 3. According to the FBI, New Jersey is home to the most at-risk area 
for a terrorist Answer, attack in the U.S. This area has targets ranging from the 
port to airports to chlorine gas plants. An attack in this area could impact 12 mil- 
lion people who live nearby. Shouldn’t TSA prioritize these high-risk areas for TWIG 
funding and implementation? 

Answer. It is essential that the prioritization for TWIG funding and reader imple- 
mentation be consistent across the Nation. Those facilities and vessels that present 
the highest risk, or are in high-risk areas, will be prioritized accordingly, as they 
were in the initial TWIG implementation. 

Question 4. GAO investigators were able to fraudulently obtain TWIG cards and 
then use them to access secure facilities. TWIG cards can be used to access literally 
thousands of facilities nationwide. What is being done to prevent fraudulently ob- 
tained cards from being used to access airports, military bases, and other secure fa- 
cilities? 

Answer. Each port establishes the requirements for access to its secure facilities. 
Possession of a TWIG, while a necessary element for access, does not guarantee its 
holder the right of access absent meeting the business case that individual port au- 
thorities establish for entering their secure facilities. The Goast Guard works with 
the ports to ensure the enforcement of security practices for access to secure facili- 
ties. 

Another important enhancement will be the use of card readers to verify TWIGs 
electronically and ensure that the cards have not been revoked. The Goast Guard 
is currently developing an upcoming rulemaking that will include requirements for 
TWIG readers at Maritime Transportation Security Act (MTSA) regulated facilities 
and vessels. Once the final card reader phase of the program is implemented for 
electronic verification of TWIGs, it will significantly enhance protection against 
counterfeit, tampered, or expired TWIGs being used to gain access to MTSA-regu- 
lated facilities and vessels. 

Finally, TSA is conducting a review of internal controls for TWIG enrollment to 
identify ways to enhance the program’s ability to prevent people from obtaining a 
TWIG using fraudulent identity documents. Almost all credentialing programs at all 
levels of government and the private sector face this challenge. TSA follows best 
practices by requiring the use of document authentication technology as a safeguard 
against TWIG applicants using counterfeit or altered identity documents at enroll- 
ment. DHS will continue to seek out best practices and new technologies to ensure 
that TWIG takes every reasonable precaution against fraud. 


United States Government Accountability Office 

Washington, DC, July 6, 2011 

Hon. Frank R. Lautenberg, 

Hon. Bill Nelson, 

Gommittee on Gommerce, Science, and Transportation, 

U.S. Senate. 

Subject: Transportation Worker Identification Gredential: Responses to Posthearing 
Questions for the Record 

On May 10, 2011, I testified before the Gommittee on Gommerce, Science, and 
Transportation on the Department of Homeland Security’s (DHS) credentialing pro- 
gram known as the Transportation Worker Identification Gredential (TWIG). This 
letter responds to the three questions for the record that you posed. The responses 
are based on work associated with previously issued GAO products. ^ Your questions 
and my responses follow. 

Question 1. Through your covert testing, you were able to obtain fraudulent TWIG 
cards and access secure facilities using fraudulent and counterfeit cards. What po- 
tential security threats are our ports and other secure facilities exposed to because 
of the problems with the TWIG program? 

Answer. We reported in May 2011 that internal control weaknesses in TWIG en- 
rollment, background checking, and use could have contributed to the breach of 
Maritime Transportation Security Act (MTSA)-regulated ports during covert tests 


1 See GAO, Transportation Worker Identification Credential: Internal Control Weaknesses Need 
to Be Corrected to Help Achieve Security Objectives, GAO-11—657 (Washington, D.C.: May 10, 
2011); Transportation Worker Identification Credential: Internal Control Weaknesses Need to Be 
Corrected to Help Achieve Security Objectives, GAO— 11-648T (Washington, D.C.: May 10, 2011); 
and Transportation Worker Identification Credential: Progress Made in Enrolling Workers and 
Activating Credentials but Evaluation Plan Needed to Help Inform the Implementation of Card 
Readers, GAO— 10-43 (Washington, D.C.: Nov. 18, 2009). 
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conducted by our investigators.^ We had our investigators conduct covert testing at 
TWIC enrollment center(s) to identify whether individuals providing fraudulent in- 
formation could acquire an authentic TWIC. Further, during covert tests of TWIC 
use at several selected ports, our investigators were successful in accessing ports 
using counterfeit TWICs, authentic TWICs acquired through fraudulent means, and 
false business cases (i.e., reasons for requesting access). Our records show that oper- 
ations at the ports our investigators breached included cargo, containers, and fuel, 
among others.^ Our investigators reported that throughout the testing, security offi- 
cers did not question the authenticity of TWICs presented for acquiring access. 

According to the Coast Guard’s January 2008 National Maritime Terrorism 
Threat Assessment, al Qaeda leaders and supporters have identified western mari- 
time assets as legitimate targets.’^ Moreover, according to the Coast Guard assess- 
ment, al Qaeda-inspired operatives are most likely to use vehicle bombs to strike 
U.S. cargo vessels, tankers, and fixed coastal facilities such as ports. If an individual 
presents an authentic TWIC acquired through fraudulent means when requesting 
unescorted access to the secure areas of a MTSA-regulated facility or vessel, the 
cardholder is deemed not to be a security threat to the maritime environment be- 
cause the cardholder is presumed to have met TWIC-related qualifications during 
a background check. In such cases, individuals who wish to do harm to the maritime 
transportation system could better position themselves to inappropriately gain 
unescorted access to secure areas of a MTSA-regulated facility or vessel.® 

As we recently reported in May 2011, while one of the goals of the TWIC program 
was to improve security by reducing risks associated with fraudulent or altered cre- 
dentials by using biometrics to positively match an individual to the credential, as 
our covert tests demonstrated, an authentic TWIC and a legitimate business case 
were not always required in practice.® As detailed in our report, inspection of 
TWICs with biometric readers is not currently required. Rather, TWICs are pri- 
marily used as visual identity cards — known as a flashpass — where a card is to be 
visually inspected before a cardholder is allowed unescorted access to a secure area 
of a MTSAregulated port or facility. The investigators’ possession of TWICs provided 
them with the appearance of legitimacy and facilitated their unescorted entry into 
secure areas of MTSA-regulated ports at multiple locations across the country. If in- 
dividuals are able to acquire authentic TWICs fraudulently, verif3dng the authen- 
ticity of these cards with a biometric reader will not necessarily reduce the risk of 
undesired individuals gaining unescorted access to the secure areas of MTSA-regu- 
lated facilities and vessels. Our report noted that, unlike prior access control ap- 
proaches, which allowed access to a specific facility, the TWIC potentially facilitates 
access to thousands of facilities once the Federal Government attests that the TWIC 
holder has been positively identified and is deemed not to be a security threat. 

Question 2. According to the FBI, New Jersey is home to the most at-risk area 
for a terrorist attack in the U.S. This area has targets ranging from the port to air- 
ports to chlorine gas plants. An attack in this area could impact 12 million people 
who live nearby. Shouldn’t TSA prioritize these high-risk areas for TWIC funding 
and implementation? 

Answer. Funding for the TWIC program is a shared responsibility between the 
Federal Government and the private sector. TSA’s efforts to issue the TWIC are to 
be funded by enrollment fees collected from TWIC applicants.'^ Additional resources, 
however, would be required if TWIC is to be implemented with biometric card read- 
ers. For instance, MTSA-regulated facility operators could be required to expend re- 
sources on TWIC readers and infrastructure to support TWIC-related operations, 
such as installing fiber optic cables and investing in computing system(s) capable 
of managing and recording TWIC-related access control efforts. While funding for 
such efforts is anticipated to be the responsibility of facility operators, limited Fed- 
eral funding is expected to be available through Federal grant programs, such as 


2 GAO-11-657. 

2 The details related to the means used by the investigators in the tests could not be described 
here because they were deemed sensitive security information by TSA. 

'^U.S. Coast Guard Intelligence Coordination Center, National Maritime Terrorism Threat As- 
sessment (Washington, D.C.: Jan. 7, 2008). 

®The TWIC program requires individuals to both hold a TWIC and be authorized to be in 
the secure area by the owner/operator to gain unescorted access to secure areas of MTSA-regu- 
lated facilities and vessels. A regulation on the use of TWICs with card readers is currently 
under development and expected to address how the access control technologies, such as biomet- 
ric card readers, are to be used for confirming the identity of the TWIC holder against the bio- 
metric information on the TWIC. 

« GAO-11-657. 

"^TSA was authorized to fund the program’s operations by collecting $196.8 million in enroll- 
ment fees from TWIC applicants from Fiscal Years 2008 through 2010. 



82 


the Federal Emergency Management Agency’s (FEMA) Port Security Grant Program 
and the Transit Security Grant Program.® As we previously reported, issuance of 
such grants is, in part, based on available risk information.® 

Funding and implementing TWIG in a risk-informed manner would be consistent 
with our prior work.i® The purported benefit of making risk-informed investments 
is that Federal funds are to be directed at those programs that are most effective 
at reducing risk given available resources. However, as we reported in May 2011, 
DHS had not assessed the effectiveness of TWIG at enhancing security or reducing 
risk for MTSAregulated facilities and vessels. Further, DHS had not demonstrated 
that TWIG, as currently implemented and planned with readers, is more effective 
than prior approaches used to limit access to ports and facilities, such as using facil- 
ity-specific identity credentials with business cases. Moreover, our May 2011 report 
found that enrollment and background checking processes were not designed to pro- 
vide reasonable assurance that only qualified individuals could acquire TWICs, or 
that once issued a TWIG, TWIC-holders had maintained their eligibility. These 
weaknesses, coupled with the results of our covert tests on TWIG use, raise ques- 
tions about the effectiveness of the TWIG program. As such, we recommended that 
the Secretary of Homeland Security evaluate the costs, benefits, security risks, and 
corrective actions needed to implement the TWIG program in a manner that will 
mitigate existing security risks. Gompleting these steps will facilitate efforts to iden- 
tify high-risk areas for TWIG funding and implementation. 

Question 3. We have four of the highest volume U.S. ports in Florida, which are 
involved in tens of billions of dollars in trade each year. Did your investigators turn 
anything up unique about the efforts made by the folks running the TWIG program 
in Florida? 

Answer. Prior to being amended, previous Florida state law required workers ac- 
cessing the state’s 12 active deepwater public ports to undergo a state criminal his- 
tory records check, and Florida’s ports required workers to obtain a local port identi- 
fication card. In doing so, Florida had implemented background check and identi- 
fication requirements that extended beyond those of the TWIG program. First, prior 
to being repealed on May 24, 2011, a Florida statutory provision required that all 
applicants undergo a State of Florida fingerprint-based criminal history records 
check to identify certain specified state criminal offenses, such as theft and bur- 
glary, separately from those specifically required to be identified or considered by 
the criminal history records check conducted by the TWIG program. Second, Florida 
denied access to individuals who had obtained their TWIG through the TWIG-waiver 
process, whereby individuals with disqualifying offenses could be granted a TWIG. 
Third, Florida maintained a database that retained the fingerprints and eligibility 
status of all seaport workers accessing its ports, and provided ports with an ongoing 
notification of the workers’ criminal histories. While Florida has repealed its back- 
ground check requirements, various Florida ports still require that individuals at- 
tempting to gain access to a port or facility provide a port-specific identification card 
in addition to the TWIG to gain access to ports in Florida. 

As we reported in May 2011, our investigators were successful in accessing ports 
using counterfeit TWIGs, authentic TWIGs acquired through fraudulent means, and 
false business cases ii.e., reasons for requesting access) during covert tests of TWIG 
use at several selected ports. Information on the specific ports and locations that 
our investigators were unable to access during covert testing was deemed sensitive 
security information by TSA. However, our report states that our investigators did 
not gain unescorted access to a port where a secondary port specific identification 
was required in addition to the TWIG. 


®From Fiscal Years 2006 through 2010, $111.7 million had been made available to maritime 
facilities implementing TWIG from FEMA grant programs — the Port Security Grant Program 
and the Transit Security Grant Program. 

®See GAO, Transit Security Grant Program: DHS Allocates Grants Based on Risk, hut Its Risk 
Methodology, Management Controls, and Grant Oversight Can Be Strengthened, GAO— 09-491 
(Washington, D.C.: June 8, 2009); and Risk Management: Further Refinements Needed to Assess 
Risks and Prioritize Protective Measures at Ports and Other Critical Infrastructure, GAO-06- 
91 (Washington, D.C.: Dec. 15, 2005). 

i®See GAO, Homeland Security: Applying Risk Management Principles to Guide Federal In- 
vestments, GAO-07— 386T (Washington, D.C.: Feb. 7, 2007); and GAO-06-91. 

GAO-11-657. 

12 GAO-11-657. 
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If you have any questions about this letter or need additional information, please 
contact me at (202) 512-4379 or lords@gao.gov. 

Stephen M. Lord, 

Director, Homeland Security and Justice Issues. 

o 



